FCC and Congress at Odds on New Legislation in re Mobile Carriers Privacy Practices

By B.N. Frank

The Federal Communications Commission (FCC) is supposed to protect Americans by regulating the telecom industry. Instead, for decades, it has mostly catered to the industry (see 1, 2) which has led to numerous lawsuits filed against it (see 1, 2, 3). Currently, however, the FCC seems interested in preserving at least some of Americans’ right to privacy.

From Ars Technica:

FCC chair tries to find out how carriers use phone geolocation data

Inquiry launched as Congress debates bill that could gut FCC’s privacy authority.

Jon Brodkin

Federal Communications Commission Chairwoman Jessica Rosenworcel has ordered mobile carriers to explain what geolocation data they collect from customers and how they use it. Rosenworcel’s probe could be the first step toward stronger action—but the agency’s authority in this area is in peril because Congress is debating a data privacy law that could preempt the FCC from regulating carriers’ privacy practices.

Rosenworcel sent letters of inquiry Tuesday “to the top 15 mobile providers,” the FCC announced. The chairwoman’s letters asked carriers “about their policies around geolocation data, such as how long geolocation data is retained and why and what the current safeguards are to protect this sensitive information,” the FCC said.

The letters also “probe carriers about their processes for sharing subscriber geolocation data with law enforcement and other third parties’ data-sharing agreements. Finally, the letters ask whether and how consumers are notified when their geolocation information is shared with third parties,” the FCC said.

“Mobile Internet service providers are uniquely situated to capture a trove of data about their own subscribers, including the subscriber’s actual identity and personal characteristics, geolocation data, app usage, and web browsing data and habits,” the letters say. Under US communications law, carriers are prohibited from using or sharing private information except under specific circumstances.

Rosenworcel told carriers to answer the questions by August 3. Letter recipients included the big three carriers AT&T, T-Mobile, and Verizon; cable companies Comcast and Charter, which resell mobile service; mobile operators Consumer Cellular, C-Spire, Dish, Google, H2O Wireless, Lycamobile, Mint Mobile, Red Pocket, and US Cellular; and Best Buy Health, which operates the medical-focused Lively mobile service.

FCC has authority over phone privacy… for now

The FCC letters pointed out that in February 2020, it proposed fines totaling $208 million after AT&T, Sprint, T-Mobile, and Verizon were caught “selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” While that practice is believed to have been stopped, this week’s FCC letters said there’s still reason to worry about the data collected by carriers:

These carriers voluntarily determined to end the sale of real-time location information to location aggregation services However, last year, a report by the Federal Trade Commission that studied ISPs representing 98 percent of the mobile Internet market observed that ISPs collect more data than is necessary to provide services and more data than consumers expect.

The $208 million in proposed fines is apparently still pending, but the FCC said it “has ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and the agency is continuing its investigation into these practices.”

The FCC inquiry is important “in light of the long history of abuses by carriers selling this kind of detailed and hyper-accurate information to law enforcement, bounty hunters, and even stalkers,” said Harold Feld, senior VP of consumer advocacy group Public Knowledge. Mobile carriers “have unique access to highly accurate geolocation information—known as A-GPS—designed so that 911 responders can find a caller with pinpoint accuracy,” and have “access to other information that can be combined with geolocation to produce a detailed picture of a person’s activities far beyond what applications on the handset can provide,” Feld said.

Although the FCC gave up its Title II authority over broadband under former Chairman Ajit Pai, Feld noted that the agency still has substantial authority over phone service. “The FCC has specialized power to force carriers to respond,” Feld wrote. “It has the power to impose transparency requirements to reveal when law enforcement abuses the legal process to obtain deeply personal phone information. It has the power to require specific data minimization and data protection obligations if necessary. The FCC has used this power in the past to create new rules in response to revelations that stalkers had access to carrier information, and should not hesitate to use its regulatory powers again if necessary.”

Privacy bill could preempt FCC regulations

But Feld and others are concerned the FCC could be prevented from regulating the phone industry’s privacy practices under bipartisan legislation that was approved by the House Commerce Committee on Wednesday. The American Data Privacy and Protection Act (ADDPA) “makes the Federal Trade Commission the sole enforcement agency overseeing data privacy, with a few exceptions, preempting the role of the Federal Communications Commission,” The Washington Post wrote.

“The FCC’s investigation into mobile carriers’ geolocation data policies is a powerful reminder that the FCC already has the authority to protect the privacy of mobile phone customers” under Section 222 of the Communications Act, Stanford Law Professor Barbara van Schewick wrote on Twitter. “The federal privacy bill ADDPA negotiated in Congress would eliminate this authority.”

As van Schewick alluded to, the bill text has a section about “non-application of FCC privacy laws and regulations to covered entities,” which says that many FCC rules “shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act.”

FCC’s questions for carriers

Among other things, Rosenworcel’s letters ask carriers to describe in detail the geolocation data they collect and retain from customers, to explain why such data is retained for current and former subscribers, how long the data is retained for, a description of safeguards used to protect the data, and what country or countries the geolocation data is stored in.

The letters also ask for details regarding how data retention policies are disclosed to subscribers, data deletion policies, and whether subscribers can opt out of data retention.

A second list of questions focused on data sharing asks for each carrier’s “process and policies for sharing subscriber geolocation data with law enforcement;” for descriptions of “the arrangements, agreements, and circumstances in which [the carrier] shares subscriber geolocation data with third parties that are not law enforcement;” and whether subscribers are “notified of the sharing of their geolocation information with third parties that are not law enforcement.”

The data-sharing section also probes whether the carriers let customers opt out of programs that share data with third parties:

Describe in detail the process by which a subscriber may opt out of the sharing of their geolocation data. Under this opt-out process is that subscriber’s data still shared with third parties? In particular, does the opt-out process allow a subscriber to opt out of the sharing of their geolocation data with all third parties that are not law enforcement?

Because geolocation data is highly sensitive and can be combined with other types of data, “the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy,” Rosenworcel told carriers in the letters.