Today, CDT and 58 other organizations submitted a letter to the Federal Communications Commission (FCC) calling on the agency to initiate a rulemaking to protect the privacy of broadband Internet customers. CDT believes that establishing broadband privacy rules under the FCC’s Title II authority is a critical step toward securing Internet users’ privacy online. We urge the Commission to take that step as soon as possible.
Why should this happen now?
Traditionally, broadband carriers’ use of customer data has only been covered by Section 5 of the Federal Trade Commission (FTC) Act. Section 5 allows the FTC to address “unfair or deceptive” practices resulting in consumer privacy violations, but does not give the agency authority to establish prospective privacy rules. So while the FTC can use Section 5 to address bad actors after the fact, it cannot specify how broadband carriers should protect their customers’ privacy.
As part of the Open Internet Order, the FCC applied Section 222 of the Telecommunications Act to broadband Internet access service (BIAS) providers. Section 222 mandates privacy protections for some of the data that carriers collect from transmissions travelling across their networks. Therefore, the FCC’s application of Section 222 to broadband carriers could significantly enhance the privacy of broadband customers’ data beyond the ex post actions available to the FTC. However, since Section 222 has previously only applied to telephone service, the FCC must address a host of questions regarding the interpretation of Section 222 and its application to BIAS before we’ll know the full extent of these new safeguards. The coalition letter applauds the spirit of cooperation between the FTC and FCC on privacy issues and urges the FCC to commence a rulemaking to outline its approach to implementing Section 222’s protections.
How does Section 222 protect consumers’ privacy?
Section 222(a) creates for telecommunications carriers a duty to maintain the confidentiality of “proprietary information” (PI) of, and relating to customers, equipment manufacturers, and other carriers. PI is not defined in the Act. Sections 222(c) and (d) control how, and under what conditions, carriers may use, share, or disclose “Customer Proprietary Network Information” (CPNI), the definition of which includes information related to the “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications system…and information contained in bills.”
The statutory definition of CPNI arguably does not include some kinds of customers’ personal information, such as social security numbers, that should receive privacy protection. However, the FCC has said that this personal information may be entitled to protection under Section 222(a). This interpretation of Section 222 could create a range of new data points that, if collected by carriers, would require protection.
What might these protections look like in actual rules?
This is the critical question FCC rulemaking is expected address. CDT believes much of the customer information collected by broadband Internet service providers can be protected under the FCC’s Section 222 authority. Section 222(h)’s definition of CPNI provides a helpful roadmap for how some of these protections might look in rules. Based on this map, CDT created a diagram and explanatory memo illustrating what kinds of information associated with broadband communications might fit within Section 222(h)’s definition of CPNI.
As explained in the diagram, the Commission should consider anchoring the definition of CPNI to technical aspects of the transmissions generally carried by BIAS providers. In particular, anchoring the definition of CPNI to the individual components, known as “packets,” that make up all Internet traffic will allow the definition to apply to all transmissions across the Internet. The diagram explains how packets travel across the Internet, which parts of the packet could be covered by the definition of CPNI, and the privacy implications raised by collection and compilation of these data points.
In addition to specific rules under Section 222, we believe the FCC can use its authority under Section 201 to prevent unjust and unreasonable practices that threaten customers’ privacy. We will explore this and other broadband privacy questions in future blog posts.
We appreciate the FCC’s important decision last year to retain authority to protect consumer privacy on broadband telecommunications services, and the Commission’s work to enforce existing privacy protections for voice communication, and to require greater transparency for broadband provider service practices. We look forward to working with the Commission to further secure consumers’ data online.