Today we urged the Federal Communications Commission to clarify and enforce a provision the Communications Act designed to protect phone customers’ privacy.
Do you ever think about how much your phone service provider knows about you—where you go, how long you stay there, and whom you talk to and for how long? Do you think your provider should be able to sell or share that information with anyone, for any reason? No?
Neither do we. More importantly, neither do lawmakers, which is why in 1996 they passed a law that severely restricted what carriers can do with all this personal information. The law modified the Communications Act to add Section 222, “Privacy of customer information.” Section 222 tells carriers that with few exceptions, they have to get customers’ consent before they can share “customer proprietary network information,” or “CPNI.”
Carriers Are Violating the Communications Act by Selling Customers’ Private Information
Last month, Charlie Savage of the New York Times reported that AT&T has been selling call logs to the C.I.A. without asking customers’ permission to do so. As Harold blogged about, we think this violates Section 222.
And the sale of CPNI to the government isn’t our only concern—when we did a little more poking around, we found that all four major mobile carriers (AT&T, Sprint, T-Mobile, and Verizon) have privacy policies that indicate they believe it is okay to sell or share similar records to anyone. We don’t know whether or not they actually are selling CPNI, but the fact that they think they can is alarming.
We Filed a Petition for Declaratory Ruling at the FCC About This
That’s why today we filed a Petition for Declaratory Ruling at the FCC asking it to declare that the types of records AT&T is reportedly selling to the government are protected under Section 222. Joining us on the Petition are Benton Foundation, Center for Digital Democracy, Center for Media Justice, Chris Jay Hoofnagle, Common Cause, Consumer Action], Electronic Frontier Foundation, Electronic Privacy Information Center, Free Press, New America Foundation’s Open Technology Institute, and U.S. PIRG. You can read our press release here.
Carriers Will Say They’re Not Violating the Law, But They Are
We think the pushback will come from carriers claiming that they always “anonymize” CPNI before they share it. For example, according to the Times article, AT&T “masks” several digits of Americans’ phone numbers before sharing records with the C.I.A. But we don’t think anonymizing records exempts them from Section 222 protections.
Even if anonymizing records before sharing them were enough under Section 222, masking a few digits of some phone numbers is just not enough to truly render records anonymous. Even after personal identifiers have been removed from a dataset, sufficient information that is not traditionally thought of as personally identifiable often remains to “re-identify” specific people. For example, way back in 2000, computer scientist Latayna Sweeney (who is now the Federal Trade Commission’s Chief Technologist) demonstrated that “87% of the US population can be uniquely specified by knowledge of his or her 5-digit ZIP code of residence, gender, and date of birth.” More recently, researchers succeeded in using publicly available information to identify Netflix subscribers in a dataset of movie ratings from which personal identifiers had been removed. “Removing identifying information is not sufficient for anonymity,” the researchers explained. And earlier this year, researchers used a dataset of “anonymized” location data from an unidentified mobile phone carrier to demonstrate that 95 percent of individual users could be uniquely identified using just four location data points.
The Commission Must Enforce Section 222 to Protect Consumers
Now that we’ve filed the Petition, the next step is for the Commission to docket the petition and put it out on public notice for people to comment on it. Let’s hope the Commission does it soon. In the modern age, virtually everyone is a phone subscriber, and we have no choice but to share vast amounts of highly sensitive information with our service providers. Vigorous enforcement of Section 222 is necessary to protect that information.
Original image by flickr user yourdon.