Wireless Group: Carriers Can Legally Sell De-Identified Customer Information

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Bryce Baschuk  

Jan. 21 --Wireless carriers told the Federal Communications Commission that federal law permits telecommunications companies to share and sell consumer information to third-party groups as long as individual customer identities and characteristics have been removed, according to a filing made public Jan. 21.

CTIA - The Wireless Association sought to persuade policy makers that the practice is legal during a time when Washington continues to debate what privacy protections U.S. consumers should be able to expect from their telecommunications providers.

CTIA urged the FCC to dismiss a Public Knowledge petition to clarify that telecommunications companies are restricted from sharing anonymized consumer information, the filing said. The group said Public Knowledge misread Section 222 of the Communications Act of 1934, as amended, in asserting that anonymized, or de-identified, call records constitute “individually identifiable” customer proprietary network information (CPNI), according to its filing with the commission.

All four major wireless carriers--AT&T Inc., Verizon Communications Inc., Sprint Corp. and T-Mobile USA Inc.--are CTIA members.

The petition stems in part from a Nov. 7 New York Times article that revealed AT&T Inc. had sold to the Central Intelligence Agency some of its customers' anonymized call records. In December, nearly a dozen public interest groups led by Public Knowledge filed the petition for a declaratory ruling with the FCC to clarify that Section 222 forbids communications companies from selling de-identified call records to third parties without their customers' consent.

Even if wireless companies “mask” several phone number digits from the call records they sell, the remaining data--incoming calls, call times and call durations--do not constitute anonymous records because they can be linked back to specific individuals, Public Knowledge said.

CPNI Definition, Characterization

Section 222 prevents carriers from disclosing or permitting access to a customer's individually identifiable CPNI without consent. Under the statute, a telecommunications carrier that receives or obtains CPNI “shall only use, disclose, or permit access to individually identifiable CPNI in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.” The law defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location and amount of use a telecommunications service subscribed to by any customer of a telecommunications carrier.”

CTIA argued that there is nothing in the statute or FCC rules that “suggests customer information stripped of individually identifiable characteristics and identities is subject to the same limitations as information possessing such characteristics,” the filing said. “De-identified CPNI, put simply, is not 'individually identifiable’ CPNI under Section 222(c)(1), and it is not the type of sensitive, personal data for which Congress intended the protections of that section to apply. Rather, if customer information is not individually identifiable and is not aggregate, it falls into a separate category: non-individually identifiable CPNI, or de-identified CPNI.”

CTIA said Section 222(c)(3) of the act “demonstrates that Congress did not have privacy concerns regarding customer information that is not individually identifiable.”

The section says “a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service may use, disclose, or permit access to aggregate customer information”--language that CTIA said “further underscores there exists a separate category of CPNI, non-individually identifiable CPNI.”

The Public Knowledge petition “incorrectly claims that all CPNI falls into one of two categories--aggregate or individually identifiable information,” CTIA said. “To the contrary, a category of customer information exists that is neither 'individually identifiable’ CPNI nor 'aggregate customer information,’ and such information is not the type of personal, sensitive information that must be protected under Section 222(c)(1).”

CTIA warned the FCC that if it “attempts to paint with too broad a CPNI brush,” it risks interfering with the current multi-stakeholder approach to privacy. Industry groups have been working for years to develop voluntary, multi-stakeholder privacy guidelines in coordination with the White House and National Telecommunications and Information Administration. The effort thus far has been limited to discussions regarding privacy protections for mobile applications and facial recognition technologies.

Wheeler Says Issue 'Vexing.'

FCC Chairman Tom Wheeler told Bloomberg BNA the issue was “vexing” during the commission's December open meeting and he has avoided endorsing any specific agency action. Wheeler was previously the president of CTIA from 1992 to 2004.

“I think privacy is a serious issue,” Wheeler said. “I think privacy will be an issue that will be increasingly discussed. This agency has had a role in telecommunications service privacy in the past and as we move to information services it is a legitimate question to ask is there is authority and if so what should be the policy,” he said.

To contact the reporter on this story: Bryce Baschuk in Washington at bbaschuk@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

Read the filing here: http://ctia.org/docs/default-source/default-document-library/ctia-comments-to-pk-cpni-petition-1-17-2014.docx?sfvrsn=2.