German politician Malte Spitze neat infographic threats to hacker Verizon didn’t even bother to respond other carriers “Only to improve our network” ANYONE can petition the FCC (or any agency) for new rules. FCC doesn’t have to listen. No federal agency can, by law, make rules without opening up comments for 30 days.
There were 16 questions that were included in the text. These are merely representative.
- Industries that are self-regulating typically have outside incentive to do so. - Perhaps you’ve heard of the FTC getting involved in the Google $2.1M privacy violation fine? - Because handsets are “owned” by customer they aren’t under the statutory authority of the FCC. - Dropped calls, calls attempted where service is bad: it’s good to know
Carriers really jumped to the consumer response to the disclosure of this. - Jumped by making a better effort to disguise it from the customers. Verizon is not even worried about user backlash. - You think they have all the best lobbyists? Self-regulating industries like video games and movies have solid incentive to do so.
* FTC’s mandate: Fair Credit reporting act, Child Online Privacy Protection Act, Unfair Trade Practices Act (covering policy enforcement, spam, spyware, etc.) * unless you count anti-competitive behavior (collusion, trust, etc.) * View the issue as an “ecosystem” where
2007: EPIC CPNI: Electronic Privacy Information Center thought it was important to address issues of pretexting, wiping refurbished devices. - Also considered carrier responsibility at the handset, but carriers convinced FCC that they couldn’t have enough control to be responsible for them.
They want INFORMATION (Invoke conflict between #6 & #2) Carrier-customer relationship is special because the trust required to let them handle your data. What is protected is periodically updated by Congress. Last act was 1996. Telcos used to try to use this information to market new goods, get customers to switch back, etc
Show of hands for Carterfone (Explain Carterfone blank stares/few hands raised.) - In order to ensure quality of the network, it needed to be a closed system. - Became specs managed by the FCC: Without it we’d still be leasing modems from AT&T. Lets say we buy this argument. That is exactly what the CPNI order was FOR!
Currently if you want to get the cell site location information, data collected on where you go with your phone turned on (for 911), NO carrier will give it to you. Phone companies operate in a deliberate air of obfuscation and misinformation.
Simply aggregating is not enough. Identifiability and the mosiac theory: What is anonymous anyway? Carriers know that “depersonalized” data may be “repersonalized through correlation techniques.
CPNI has traditionally covered equipment vendors as customers as well. - Protects vendors from carriers, vice versa. - Customer is a very broad term.
We all know what this is about: Alternate revenue streams. Changes the competitive playing field in a limited field like this, could force competitors into it. If 1 vendor only cost $40/month when others cost $80 for same service, not going to compete. If users don’t know what they’re losing, how can they make informed tradeoffs?
Comments were pretty evenly split between the pro- and con-regulation. Anyone can submit a comment during the defined period. Every comment becomes a public record. You should comment too!
Think of the Children! *ahem* Seeing a common theme of disadvantaged/uninformed. The minority thing is an issue, because you’re talking about entire classes of people being tracked and monetized.
More user control IS the hacker solution, but it doesn’t work for everyone. Most users expect carriers to protect them and act in their best interests. Liability incentive could be powerful motivator towards relinquishing control
But who has the liability for the data leaks? Who is responsible for security? Those who you don’t trust to manage their phone? Trust and security are intertwined.
If you don’t trust your user to control their device, you can’t trust your user to manage their security. Conversely, if the user can be expected to control their personal data, they should have the trust to control their device.
“ Location” is specifically included in the CPNI statute. It’s unambiguous. Enforcement hasn’t happened yet, but then again, it wasn’t a problem. The current state is very ambiguous as to ownership. - See my ToorCamp talk on location privacy.
Privacy has been taking a beating in the last few years because of Terrist FUD Arguing for privacy is like arguing for motherhood. No reason to deny this for people. Advertising interests are very powerful and work behind the scenes. Insulation between FCC and Lobbyist $$ a Thing.
2007 update process 96-115: 3/15/06 Comments opened. Similar reply period. 399 docs logged Comments were thinly veiled threats against the FCC. The work the Trade Commission is doing against social media will pale in scope to this Even imperfect implementation will help consumers. THE END
Privacy at the Handset: New FCC Rules?
Privacy at the Handset New FCC Rules?
What’s up with the FCC?• Senator Franken became alarmed about CarrierIQ (Thanks to all the hacking!)• Requested info from the carriers on their use of this technology.• Petitioned the FCC for new rules to stop.• FCC, following rulemaking process, issued Notice and opened up for comments.
FCC’s Interesting Questions• What privacy and security obligations should apply to customer information that service providers cause to be collected by and stored on mobile communications devices?• How does the obligation of carriers to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI” apply in this context?• What should be the obligations when service providers use a third party to collect, store, host, or analyze such data?• Many more good ones!
Carriers’ Answers• The industry does just fine regulating itself.• This is the purview of the Federal Trade Commission and will cause conflicts.• The FCC does not have the authority to regulate handsets.• The information the industry collects is necessary to insure good service.
Industry Self-Regulation• After people objected, CarrierIQ was “killed” • Industry is bringing it back under new names • T-Mobile calls the app “System Administrator”• Some carriers are now openly selling user data • Verizon markets user data online • Suggests advertisers “re-correlate”.• How is this even pretending there is self-regulation?
Federal Trade Commission’s Role• FTC is deeply involved in improving mobile privacy, particularly with applications.• FTC has no authority over carriers and their relationships with their customers.• FTC has issued a statement in support of further CPNI regulation.
FCC’s Authority to Regulate • FCC has statutory authority to regulate telephone privacy since 1934.• CPNI=Customer Proprietary Network Information• Mobile privacy has been included since 2007• FCC considered Handsets but so far excluded them from CPNI order so far.
What IS CPNI anyway? 22 USC § 47 (h)(1)• Information • Relating to the “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service.” • Made available to the carrier by the customer solely by virtue of the carrier-customer relationship• Also billing information.• Can not be used toVerizon California,Telco’s own555 F.3d 270 (D.C. Cir. market to a Inc. v. F.C.C., customers. 2009)
Insuring Good Service• Anyone remember the arguments for the Carterfone Decision? 13 F.C.C.2d 420 (1968)• Similar “quality” argument here.• Becomes an argument for including data collected in CPNI: • Information “necessary for the operation of the network.”
Oh, and by the way• CPNI must be disclosed to the customer upon request. • Location data is currently not available to the consumer from any telco.• Knowing what they know would be interesting, wouldn’t it?
Did I mention? • Verizon recently advertised their customer data for sale.http://business.verizonwireless.com/content/b2b/en/precision/overview.
Industry Twist: Aggregation Work-Around Aggregation Work-Around• CPNI customer data may be released in aggregate form. • Only for enumerated purposes.• Statute restricts the release of “individually identifiable” information.• No test yet to decide what is “identifiable”.• Verizon recommends keying to other databases
Handset Manufacturers?• Thoroughly entwined with carriers.• Subsidies and exclusive contracts establish carrier control.• Apple iPhones pose a unique case • Equipment suppliers may also be regulated.
Also Against Regulation• The usual advertising subjects: • Direct Marketing Association • Interactive Advertising Bureau• Alarm Industry Communications Committee• Consumer Banker Association• Nothing much new to offer
On the Consumer Side• The EFF (naturally)• Electronic Privacy Information Center (Initiated 2007 CPNI order covering mobile)• Center for Democracy and Technology• Center for Digital Democracy• Future of Privacy Forum• MA AG & Dept. of Telecommunications• Catholic Bishops (with other clergy)• Hispanic Technology & Telecommunications Partnership (HTTP)• A private citizen• Only 35 total comments• Most discuss need for regulation rather than the form it should take.
Some Less-Obvious Concerns• Catholic Bishops are concerned about children being tracked.• HTTP is concerned about minorities who disproportionately rely on mobile services.
Two Approaches to Regulation1.Give consumers more control • Consumers often are pretty clueless • Many don’t care about that control1.Hold carriers more accountable • Consumer choice could be left behind • Poses enforceability issues
Who Owns Malware?• Obviously the hacker does.• Just a bit hard to regulate hackers• Assignment of responsibility could be used as incentive • Incentive to accountable carriers to provide better security • Incentive for carriers to grant users control
What Should Regulation Look Like?• Carriers must be held accountable (under CPNI order) for everything the consumer cannot control. • Opt-in schemes with opt-out available any time • How much data is really necessary if they can’t sell it?• Carriers need incentive to grant users who want it control. • Carriers become responsible for any data breach on an unlocked phone
Added Bonus for Location Privacy• Location should be included in CPNI.• Far less ambiguity for law enforcement requests for location tracking data.• Would require Pen/trap (judicial) order.• Still a lower standard than 4th Amendment probable cause search warrant.
Likeliness of Change• Politics are in a pro-privacy upswing now. • Many Senators are making a stand • White House created a privacy initiative• Even the GAO has signaled the need for greater privacy controls.• “Defense” and “law enforcement” arguments are moot here.
Conclusions-Predictions• There will probably be new regulation soon• The Telcos will sue, challenging the statutory basis for the regulation. • Telcos will try to keep it tied up in court. • They will not win (out on a limb here).• Enforcement will become a huge mess.• Consumers will still benefit from regulation
2007 Update Process• March 15 2006 Notice issued.• Similar comment period. (30 day comment, 30 day reply)• 399 docs logged - only 37 here. Why?• Sunshine Act meeting July 6, 2006• Rule posted June 8, 2007
Complete List of Questions1. How have [data privacy] practices evolved since we collected information on this issue in the 2007 Further Notice?2. Are consumers given meaningful notice and choice with respect to service providers’ collection of usage-related information on their devices?3. Do current practices serve the needs of service providers and consumers, and in what ways?4. Do current practices raise concerns with respect to consumer privacy and data security?5. How are the risks created by these practices similar to or different from those that historically have been addressed under the Commission’s CPNI rules?6. Have these practices created actual data-security vulnerabilities?7. Should privacy and data security be greater considerations in the design of software for mobile devices, and, if so, should the Commission take any steps to encourage such privacy by design?8. What role can disclosure of service providers’ practices to wireless consumers play?9. To what extent should consumers bear responsibility for the privacy and security of data in their custody or control? 1. Whether the device is sold by the service provider; 2. Whether the device is locked to the service provider’s network so that it would not work with a different service provider; 3. The degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information; 4. The service provider’s role in selecting, integrating, and updating the device’s operating system, preinstalled software, and security capabilities; 5. The manner in which the collected information is used; 6. Whether the information pertains to voice service, data service, or both 7. The role of third parties in collecting and storing data.10. Are any other factors relevant?11. If so, what are these other factors, and what is their relevance?12. What privacy and security obligations should apply to customer information that service providers cause to be collected by and stored on mobile communications devices?13. How does the obligation of carriers to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI” apply in this context?14. What should be the obligations when service providers use a third party to collect, store, host, or analyze such data?15. What would be the advantages and disadvantages of clarifying mobile service providers’ obligations, if any, with respect to information stored on mobile devices—for instance through a declaratory ruling?
References• Neat Infographic: Zeit Online, Betrayed by our own Data, http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz/komplettansicht.• Statute authorizing CPNI Regulation: 47 U.S.C. § 222• CPNI Regulation: 47 C.F.R. § 64.2001 et. seq.• FCC’s code for CPNI Rulemaking Information: 96-115• FCC’s code for CPNI Compliance Certification: 06-36• Federal Register of official publications: https://www.federalregister.gov/• White House announcement of Comprehensive Privacy Blueprint (under Dep’t of Commerce): http://www.ntia.doc.gov/blog/2012/white-house-unveils-new-comprehensive-privacy-blueprint• FTC: Beyond Voice: Mapping the Mobile Marketplace http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdf.• Google’s consent decree with Federal Trade Commission, published April 5, 2011, https://federalregister.gov/a/2011-7963• Pew research on mobile communications http://pewresearch.org/pubs/1601/assessing-cell-phone-challenge-in-public-opinion-surveys.• Privacy and Data Management on Mobile Devices | Pew Research Centers Internet & American Life Project: http://pewinternet.org/Reports/2012/Mobile-Privacy.aspx• Senate’s “Privacy Bill of Rights” http://thomas.loc.gov/cgi-bin/query/z?c112:S.799:• Mosaic theory, see United States v. Maynard, 615 F.3d 544, 557 (D.C. Cir. 2010)• Notice link sent via SMS on Aug. 30, 2012 to T-Mobile customers: https://support.t-mobile.com/docs/DOC-2929?noredirect=true• Verizon’s marketing information on user data: http://business.verizonwireless.com/content/b2b/en/precision/overview.html• Verizon’s limited “opt out” requirements: http://www.hyperorg.com/blogger/2009/03/07/tales-of-data-pirates-opting-out-of- verizons-open-ended-sharing/