FCC Issues Declaratory Ruling on CPNI
Amid the firestorm set off by Edward Snowden's leaked information about the NSA's surveillance programs, the FCC Thursday took action to protect the privacy of consumers wireless service by clarifying its customer proprietary network information (CPNI) policies.
"Today's Declaratory Ruling rests on a simple and fundamentally fair principle: when a telecommunications carrier collects CPNI using its control of its customers' mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information," the FCC wrote in a statement.
Specifically, the Declaratory Ruling makes clear that when mobile carriers use their control of customers' devices to collect information about customers' use of the network, including using preinstalled apps, and the carrier or its designee has access to or control over the information, carriers are required to protect that information in the same way they are required to protect CPNI on the network.
Information covered under the rules can include phone numbers that a customer has called and received calls from, the durations of calls, and the phone's location at the beginning and end of each call.
Carriers are allowed to collect this information and to use it to improve their networks and for customer support. The FCC notes that the collection of such data can benefit consumers by enabling a carrier to detect a weak signal, a dropped call, or trouble with particular phone models.
But if carriers collect CPNI in this manner, today's ruling makes clear that they must protect it.
The Declaratory Ruling does not impose any requirements on non-carrier, third-party developers of applications that consumers may install on their own. The ruling also does not adopt or propose any new rules regarding how carriers may use CPNI or how they must protect it.
The FCC can take enforcement action in the event that a failure to take reasonable precautions causes a compromise of CPNI on a device. This clarification avoids what would otherwise be an important gap in privacy protections for consumers.
Although CTIA had not yet read the Declaratory Ruling, the association said it was very pleased with the effort made to clairfy the commission's rules around CPNI data.
"As CTIA has highlighted in this proceeding, protecting consumer privacy in an open Internet environment will require multi-faceted efforts that include a broad range of participants, extending well beyond the carrier-consumer relationship," wrote CTIA Executive Vice President Chris Guttman-McCabe.