The Federal Communications Commission (FCC) issued a public notice on May 25, 2012 seeking updated comments on the privacy and data security practices of mobile wireless service providers, focusing in particular on how such practices affect customer-specific information stored on mobile handsets, smartphones, tablets and other wireless devices.
This inquiry follows recent revelations that major wireless providers use software created by carrier diagnostics firm Carrier IQ. Several carriers have acknowledged that they use the software to capture certain network and end user device information for network diagnostic purposes. That, in turn has spurred litigation, Congressional inquiries, and regulatory inquiries regarding the privacy implications of the use of such software. The FCC had previously looked at privacy protections for wireless customers when condemning “pretexting” practices whereby unauthorized individuals and entities attempted to mislead carriers so as to gain access to subscribers’ personal information stored in the carriers’ databases.
The FCC is stepping into this new debate and asking mobile wireless service providers to describe their practices related to the collection and storage of customer-specific information on mobile devices themselves. The inquiry seeks responses to numerous questions, including those related to:
- The degree of notice and choice afforded to customers;
- How current information storage practices serve the needs of both carriers and customers;
- Whether current practices create risks or vulnerabilities for data security; and,
- How the current statutory protections afforded to “customer proprietary network information” under 47 U.S.C. § 222 apply to customer-specific information stored on these devices.
A number of large wireless service providers have already revealed certain information concerning their use of Carrier IQ software in response to inquiries from Congress. For example, in a letter to Congress AT&T explained that it uses the Carrier IQ software only for the purpose of collecting diagnostic information about the carrier’s network in order to improve customer experience. AT&T further explained that it does not use the software to obtain the contents of customers’ communications, to track customers’ location on the Internet, or to track customers’ locations. Other wireless service providers offered similar explanations.
In addition, the FCC Staff also released a report on May 25, 2012 on issues arising from the increasing use of location-based services. The Staff report does not constitute formal findings or determinations by the agency, and simply concludes that the Commission should continue to monitor the privacy issues surrounding location-based services. The FCC inquiry can be seen as an attempt to secure a role in the rapidly developing debate over mobile privacy issues, while at the same time allowing the industry to continue to innovate in the mobile space. Congress, the FTC, and the Department of Commerce have already moved in this area. In fact, the FTC is holding a workshop tomorrow, Wednesday, May 30, 2012, on mobile privacy issues.
In addition, some of these issues are already being vetted in the courts. Last week a federal court ruled that a plaintiff’s state law claims against Carrier IQ are not preempted by the federal Wiretap Act, and can proceed in state court.
The comment deadline at the FCC will be set as 30 days following publication of the notice in the Federal Register. Davis Wright Tremaine attorneys advise communications providers on privacy and data security issues. If you have questions regarding this proceeding please contact us.