Letter to FCC on Privacy for Wireless 911 Location TechnologiesJanuary 14, 2015
To read the full letter and comments, use the “download” button at the bottom of the page.
Dear Chairman Wheeler and Commissioners:
New America’s Open Technology Institute, American Civil Liberties Union, American Library Association, Benton Foundation, Brennan Center for Justice, Center for Democracy & Technology, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumer Federation of California, Consumer Watchdog, Defending Dissent Foundation, Electronic Frontier Foundation, Public Knowledge, Privacy Rights Clearinghouse, Sunlight Foundation, U.S. PIRG, and World Privacy Forum (collectively “privacy advocates”) urge you to ensure that at the same time the Commission votes this month on new regulations concerning E911 improved location accuracy, the Commission commits to carefully considering and resolving associated privacy concerns.
Public safety should not come at the expense of consumer privacy—nor does it have to. The E911 rules that the Commission will vote on at the end of month have the potential to save thousands of lives each year, but the development of highly precise location technologies designed to comply with the new regulations will raise a host of privacy concerns that have not been sufficiently addressed in the E911 proceeding. We therefore ask the Commission to commit to updating existing privacy protections, and to make clear to carriers that they must build in critical privacy protections for new location technologies.
Now is a critical time for the Commission to consider and resolve privacy concerns regarding location information. The E911 regulations currently before the Commission will trigger the development of new location technologies. Addressing privacy concerns at this early stage will ensure that the entities required to comply with the E911 regulations are able to plan development of those new technologies accordingly. Conversely, if the Commission does not resolve privacy concerns at this critical stage, it may lose the opportunity to address those concerns before highly precise, privacy threatening location technologies become entrenched.
We understand that the regulations to be voted on at the end of the month will likely include a provision requiring carriers to file privacy and security plans with the Bureau and to obtain approval and certification of those plans before they may begin using the updated E911 location system. With this in mind, we urge you to make it clear to carriers that privacy and security plans will not be approved unless they include the following:
A mechanism whereby owners of wireless consumer home products are able to opt out of having their devices included in the National Emergency Address Database (“NEAD”). Users of networked devices likely do not expect that information about their personal devices and physical address will be stored in a national database that is accessible to multiple parties, and should have the option not to include select devices in the database.
A system design in which E911 location functionality can only be triggered through the handset, and not remotely. Because the updated E911 system will be capable of delivering customer location information with high precision, access to that system must be vigorously protected from outsiders, such as malicious hackers and foreign governments. The best way to protect the system from misuse is to design it in such a way that it can only be triggered from the handset at the time a 911 call is placed.
Assurance that technologies designed to comply with E911 requirements (e.g., barometric sensors or firmware that determines location using WiFi and Bluetooth) will not be made available to third parties without consumers’ express opt-in consent. Consumers are highly protective of their location information. For example, last November the Pew Research Center reported that 82% of American adults consider the details of their physical location gathered over a period of time from the GPS on a cell phone to be “very sensitive” or “somewhat sensitive.”
Assurance that, in accordance with their preferences, consumers will not only be able to turn location services on or off via a global setting on their mobile devices, but will also be able to granularly grant or deny access to location services to each application. Consumers may wish to take advantage of new location technologies to share precise location information with some third-party applications, but not others, and should have the ability to make that determination on an application-by-application basis.
Assurance that information gathered from E911 technologies are not used by or disseminated to third parties, including government entities. The information gathered through E911 systems will be highly sensitive. Procedures should be put in place to ensure that such information is only used for E911 purposes, is purged within a limited proscribed timeframe, and is never sold or shared with third parties, including government entities.
The E911 regulations also raise questions about whether new types of location information will be covered under the Commission’s existing privacy framework. The Commission’s rules governing customer proprietary network information (“CPNI”) would likely apply to all location information collected using technologies designed to comply with FCC rules. However, existing privacy rules must be updated for clarification. We therefore urge you to commit to conducting a separate proceeding to update the Commission’s existing privacy rules, including CPNI rules.
Improving E911 location accuracy standards will save many lives. But public safety should not and need not come at the expense of privacy. When you vote on the E911 regulations at the end of January, please provide carriers with a list of elements you expect to see included in their privacy and security plans. Please also commit to analyzing and updating the Commission’s privacy rules to account for new technologies.
 The Benton Foundation is a nonprofit organization dedicated to promoting communication in the public interest. This letter reflects the institutional view of the Foundation and, unless obvious from the text, is not intended to reflect the views of individual Foundation officers, directors, or advisors.
 Many of our organizations explained this in comments we filed with the Public Safety Bureau last month, a copy of which is included as an appendix to this filing.
 50% said this information is “very sensitive”; 32% said it was “somewhat sensitive. Pew Research Center, Public Perceptions of Privacy and Security in the Post-Snowden Era 34 (2014), http://www.pewinternet.org/files/2014/11/
 “[T]he definition of CPNI in section 222 and the obligations flowing from that definition apply to information that telecommunications carriers cause to be stored on their customers’ devices when carriers or their designees have access to or control over that information.” Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling, 28 FCC Rcd 9609, 9611 (June 27, 2013) at ¶ 8.
 It would be appropriate to consider and resolve these questions within the context of the tech transition docket.