Last week the Federal Communications Commission (FCC) voted unanimously to pass rules that will require mobile phone carriers to provide emergency responders with precise location information about customers who call 911. In months leading up to the Order, OTI and a number of other groups urged the FCC to resolve privacy and security concerns associated with mobile phone customers’ location information.
Yesterday the full text of the FCC’s 911 location Order became available. Here are the four things you need to know:
First, the FCC clearly heard the privacy and security concerns raised by OTI and our allies. The Order discusses privacy and security concerns throughout, including many of the specific concerns we raised in comments, a letter to the Chairman and Commissioners, and meetings with FCC staff.
Second, although the FCC heard our concerns, it is unclear whether and how these concerns will be addressed by the 911 location system when it is ultimately deployed. The Order requires carriers to certify that the proposed “National Emergency Address Database” (NEAD)—a database carriers plan to create to help locate 911 callers—will not be used for any other purpose, but does not create any new regulations governing the privacy and security of mobile phone customers’ location information. Importantly, the Order requires carriers to “develop and submit for Commission approval a detailed Privacy and Security Plan” for NEAD within 18 months. Carriers are “expected” to collaborate with privacy advocates to develop the plan, which will then be made available for public notice and comment, allowing privacy and security advocates to weigh in again. Finally, the FCC reserves the right to take action to protect mobile phone customers’ privacy down the road; specifically, following public notice and comment on the Privacy and Security Plan, the FCC will “evaluate the need to take any additional measures to protect the privacy, security, and resilience of the [database] and any associated data.”
With this order, the FCC has effectively warned carriers that they need to take seriously all privacy and security concerns associated with 911 calls. The FCC has encouraged a “privacy-by-design” approach to the creation of the new 911 location system by mobile carriers and carriers are expected to design the system with customer privacy and security in mind from the start. In addition, the FCC reserves the right to reject the design if it fails to appropriately address those concerns.
Third, the FCC still has not addressed alternate uses of the underlying technology that will be developed and deployed to support 911 location accuracy. As OTI and our allies weighed in on this docket over the past few months, we repeatedly expressed concern that not only might 911 location or NEAD data be vulnerable to abuses for commercial or surveillance purposes, but that the very technologies that underlie 911 location information might be vulnerable as well. For example, if, in the course of improving 911 location information, carriers were to begin building barometric sensors into handsets, would third-party applications installed on handsets have access to output from those sensors?
We explained in our comments that we believe information derived from the underlying technologies—such as new sensors or firmware—qualifies as a specific class of carefully protected information called “customer proprietary network information” (CPNI). Information that is CPNI cannot be shared with third parties without opt-in customer consent. We asked the FCC to clarify the scope of CPNI with respect to new location technology, and the FCC declined to do so in this Order.
Fortunately for consumers, the Commission will soon have another chance to address the changing nature of CPNI, and to redefine the term in a way that ensures important privacy protections continue to apply to information that phone customers consider sensitive. That’s because the Commission is currently conducting the “Tech Transitions” rulemaking to determine how to ensure its rules remain relevant and current as we transition from a traditional copper-based phone network to one that operates over Internet-Protocol (IP) multimedia networks. The 911 location Order illustrates that the Commission will have its work cut out for it on privacy and security in that context.
Fourth, the FCC is uniquely positioned to protect privacy in telecommunications. Some (read: the telecom industry) have questioned the need for the FCC to regulate privacy at all. But where consumer privacy is concerned, telecommunications providers really are different from other entities that collect customer information. They provide an essential service, and customers have no choice but to share highly personal information with them in order to obtain that service. As a result, there is no real ability for consumers to opt out of having their information collected by telecommunications providers. You might not like the idea of carrying a device around with you that is capable of pinpointing your physical location within 50 meters, but carriers will soon build that into all phones, so the only way you can avoid that will be to not have a phone, which isn’t really a choice.
Consumers expect and appreciate the extra protection afforded telecommunications records, because they consider location information tracked by their phones to be extremely sensitive—more sensitive, in fact, than information about their health or the content of their emails or phone conversations. A recent report published by the Pew Research Center found that 82% of American adults considered the details of their physical location gathered over a period of time from the GPS on a cell phone to be “very sensitive” or “somewhat sensitive.” The numbers on health information, content of phone conversations, and content of emails were 81%, 81%, and 77%, respectively.
The FCC may not have passed new rules in this Order to protect phone customers’ location information, but it has the authority to do so. This Order hints that the FCC will consider using that authority to ensure location information is appropriately protected from abuses.