CDT files joint opposition in support of the FCC’s authority to protect the privacy of Lifeline customers and applicants

Today CDT joined a group of advocacy organizations in filing in a somewhat obscure regulatory proceeding with significant implications for the privacy of every user of telecommunications services. Our filing is an opposition to CTIA — The Wireless Association’s (CTIA) petition for partial reconsideration of the FCC’s most recent Order addressing issues related to its Lifeline program. Lifeline is a government-subsidized phone service program for low-income customers. The Order reminds carriers of representations made in other contexts regarding their privacy and data security practices, and explains the legal grounds by which the Commission could proceed against carriers with extremely lax or nonexistent privacy and security practices. Although CTIA does not oppose customer privacy and data security per se, it maintains that the FCC lacks authority to impose confidentiality and security requirements upon carriers for Lifeline applicants’ and customers’ data falling outside the definition of Customer Proprietary Network Information (CPNI) found in section 222 of the Communications Act. CTIA is essentially arguing that carriers can collect, use and share all of Lifeline applicants’ and customers’ information that is not CPNI – which could include social security numbers, financial information, birth dates and home addresses – without having to implement privacy protections for this information.

CTIA’s position is problematic for a number of reasons. The most immediate impact of a decision in CTIA’s favor would be felt by low-income individuals and families that have applied for or currently use the Lifeline program. Participants have an income that is at or below 135% of the federal Poverty Guidelines, or are recipients of government benefits such as Medicaid, food stamps or Section 8 housing. Applicants must provide documentation of their income eligibility (such as tax returns and paystubs) or documentation of their participation in other government benefits programs to qualify, and carriers must retain records on how the applicant demonstrated his or her eligibility. Retention of such sensitive personal information without accompanying privacy and security standards could threaten Lifeline recipients’ financial, personal, and professional well-being. For example, imagine if a carrier were to allow data brokers like those profiled in the 2013 Senate report to access Lifeline participants’ eligibility records. These brokers might catalogue the participants into marketing lists with titles such as “Rural and Barely Making It” or “Ethnic Second-City Strugglers” and sell these lists to various lenders. Predatory lenders could then have access to troves of information on individuals who are more likely to enter into financially risky credit agreements.

This is only one example of the social justice and corporate responsibility concerns raised when an entire group of people, particularly an underprivileged group, is denied the right to privacy protections. US legislators and courts regularly affirm individuals’ right to privacy and companies increasingly embrace the position that privacy is a fundamental human right. Lifeline customers, and all individuals, are entitled to adequate protection of sensitive personal information they share with their wireless providers.

Broader concerns about the FCC taking on a more pronounced role in privacy protections may have been one motivation in CTIA challenging the limited action taken by the Commission in the Lifeline Order. To be sure, the issues raised by Title II privacy protections — whether in the Lifeline program, circuit-switched network, or the broadband context — are complex. CDT hopes the Commission will undertake a rule-making that will tee up the more prominent and pressing broadband privacy issues. The Lifeline Order‘s entire discussion of privacy and data security issues and obligations amounted to only a few paragraphs. But those paragraphs are important. Lifeline applicants and customers should not be denied basic privacy protections for personal information shared with carriers. Restricting the Commission’s authority to take any action whatsoever with respect to privacy and data security would jeopardize all telephone and broadband subscribers’ privacy rights, undermining confidence in and use of essential telecommunications services.