Recent news stories regarding the National Security Administration’s surveillance programs have revealed that telecommunications carriers are stuck in a difficult situation: caught in between the demands of the government for phone records, and increasing levels distrust among consumers regarding how carriers collect and share their personal information. (See PBS News Hour: Can the tech industry strike the privacy safety balance?). Our firm has observed that consumer interest groups are increasingly demanding that the Federal Communications Commission (“FCC”) clarify the obligations of telecommunications carriers in protecting consumer information, and the privacy rights held by each individual consumer. This Advisory will discuss a recent proceeding in front of the FCC regarding these issues, and the consequences of the proceeding for both carriers and consumers.
Following reports in the New York Times that AT&T sold non-aggregated, anonymized call records to the Central Intelligence Agency (“CIA”), Public Knowledge, along with several other public interest groups, filed a Petition for Declaratory Ruling with the FCC asking the agency to clarify that the Consumer Proprietary Network Information (“CPNI”) definition encompasses non-aggregated, anonymized information. (See The New York Times: C.I.A. Is Said to Pay AT&T for Call Data). The consequence of such a clarification would mean that carriers must abide by broad protections for CPNI, forcing them to rewrite their current privacy policies. Comments were filed regarding the Petition on January 17, 2014, and reply comments are due March 3, 2014.
Section 222 of the Communications Act defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service . . . by any customer . . . that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship;” including information contained in telephone service bill. Furthermore, Section 222 prohibits carriers from disclosing such “individually identifiable” information to third parties without the customer’s consent. Carriers may disclose CPNI to third parties if such data has been both “aggregated,” and either “anonymized” or “de-identified.” Anonymization and de-identification are processes by which individual customer information has been removed from the data shared with third parties.
Public Knowledge and the other public interest groups (“Petitioners”) argue that disclosing or reserving the right to disclose non-aggregated call data to third parties violates Section 222. According to Petitioners, call records that have been “anonymized” or “de-identified,” but not aggregated, are at a risk of being easily re-identified with a single person by a third party after disclosure. Petitioners interpret Section 222 to distinguish between two forms of CPNI: individually identifiable, or aggregate information. Therefore, all data that has not specifically been aggregated must be considered individually identifiable information.
The Petitioners further state that aggregated information is a narrower category of CPNI. This is because both individual customer identities and characteristics must be removed so as to prevent re-identification with the individual customer for such information to be considered aggregated. Thus, Section 222 cannot be read to allow non-aggregated information to be disclosed absent the customer’s consent as such information can be traced back to the individual customer.
In response, AT&T, CenturyLink, Sprint, and Verizon filed comments on January 17, 2014 arguing that Section 222’s restrictions do not apply as the Petitioners argued. According to the carriers, individually identifiable CPNI does not include non-aggregated information that has been anonymized or de-identified to protect a customer’s privacy. Therefore, disclosure of this information does not violate Section 222.
Moreover, as a technical matter, the carriers state that the Petitioners’ overstate the risk of re-identification based on non-aggregated, anonymized or de-identified information. According to the carriers, while re-identification is technically a simple endeavor, non-aggregated CPNI provided to third parties cannot be used to identify individual customers because additional information on the customer is required for identification – which the carriers do not provide to third parties.
Finally, the carriers asserted that the delicate balance between consumer protection and the socio-economic benefits of collecting and sharing CPNI would be upset if the FCC granted the Petition. The carriers stated that they already take reasonable efforts to protect anonymized or de-identified CPNI. For example, AT&T stated that the company requires third parties to agree to safeguard CPNI, and not to re-identify the data in exchange for AT&T sharing such data with these parties. Thus, for AT&T, it would be unnecessary for the FCC to declare that non-aggregated, anonymized or de-identified data fell under the protections of Section 222. Furthermore, the carriers asserted that if the Petition was granted, such action would mitigate any socio-economic benefits from data sharing that have yet to be realized due to technological advancements. For example, the Information and Technology & Innovation Foundation stated that recent studies demonstrated that the large-scale collection and sharing of mobile phone data might aid governments in designing better road networks to minimize congestion due to an improved understanding of traffic patterns.
The consequences of the FCC’s action on this Petition go right to the debate over balancing consumer protection with the socio-economic benefits of collection and sharing of consumer data. According to the Petitioners, consumers are increasingly distrustful of carriers in how they handle their personal information. Thus, instances such as AT&T’s sharing of customer data with the CIA demonstrates the need for the FCC to clarify the broad scope of CPNI protections in order to recoup the trust lost by carriers among consumers. On the other hand, carriers contend that the Petitioners’ concerns are overstated; existing anonymization and de-identification procedures are sufficient. Moreover, the socio-economic benefits of data collection and sharing are important enough that the minimal risk of re-identification is acceptable. Thus, in determining its response to the Petition, the FCC must determine the appropriate balance between consumer protection, and the socio-economic benefits of data collection and sharing.
If you have any questions or concerns regarding this Advisory, or are interested in filing comments or monitoring replies related to this docket, please do not hesitate to contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at email@example.com.