On June 27, 2013, the Federal Communications Commission (FCC) issued a Declaratory Ruling in an effort to expand protection of cellphone data fromprivacy and security risks. While the ruling applies directly to telecommunications carriers that provide cellphone service, the ruling also impacts cellphone manufacturers and software developers. All businesses that use cellphones in their operations will be impacted by the Ruling as it affects the cybersecurity of their business data.
All cellphones store extensive data regarding the activities of the user on the cellphone, including voice calls, emails,messages and websites visited. Some of this information is stored by choice by the user. For example, the user may chose to utilize applications pre-loaded on the cellphone and the user may choose to download additional applications to use on the phone.
However, cellphones also store extensive data through software that is embedded into the device by themanufacturer at the request of the carrier. Themost commonly used embedded software is CarrierIQ which is capable of storing a wide range of data regarding the use of the cellphone. Not all types of data are stored at all times, carriers determine what types of data they want to collect fromeach customer's phone at any given time and send signals to the phone directing the CarrierIQ software as to what data to collect fromthat phone.
Typically, the data is uploaded to the carrier once every 24 hours when the phone is not in use, but the carrier controls the data uploads and can cause the data to be uploaded on command or on some other schedule. The upload is encrypted and data usage is not charged against the customer's data usage limit. The entire process generally is invisible to the customer and the customer cannot turn off or uninstall the software. The data collected, temporarily stored on the phone and periodically uploaded to the carrier is used by the carrier tomonitor the performance of the phone and its network and to respond to customer complaints regarding dropped calls, slow data transfer and short battery life. In order to do so, carriers collect specific data regarding, for example, what telephone number the customer calls and fromwhat location and similarly the software collects data regarding messages sent and received and the addresses of the websites visited by the customer (the website uniformresource locator or URL).
The FCC Ruling
The FCC Ruling declares that existing FCC data protection rules, the customary proprietary network information (or CPNI) rules, apply to information stored on cellphones at the direction of carriers, such as the information stored by the CarrierIQ software typically embedded in cellphones at the direction of the carriers. Cellphone and landline telephone customers are generally aware that the CPNI rules require carriers to protect data regarding their phone usage fromdisclosure to third parties without their consent. While usersmight have expected that data collected and stored on their phones at the direction of carriers was subject to the CPNI rules, the FCC found that carriers had been interpreting the CPNI rules to apply only to the data after it was uploaded to the carrier. The FCC was concerned that a potential cybersecurity and privacy threat arises when carriers cause data to be stored on cellphones, unless the carriers also are responsible for protecting that data.
Direct Impact on Carriers
Bymaking carriers liable for the protection of data stored on cellphones at the direction of the carrier, the FCC hopes to incentivize carriers to analyze andmonitor more carefully the software that the carriers decide to imbed in cellphones, such as CarrierIQ, in order to ensure that the software is not vulnerable to cyberattacks and privacy breaches. The Ruling alsomay influence carrier decisions as to what types of data to direct cellphones to collect and how long the data should be stored on the phone.
Indirect Impact on Cellphone Manufacturers
Because the Ruling incentivizes carriers to analyze andmonitor more carefully the operating systems on cellphones that carriers offer or authorize for use on their networks, the ruling will indirectly impact cellphonemanufacturers whomay now face additional carrierimposed conditions before their products are accepted for sale. The FCC noted that the Federal Trade Commission earlier took action against HTC, a cellphonemanufacturer that offered a phone with amodified version of the Android operating systemthat was vulnerable to cyberattacks that allowed third parties to access data collected and stored on the phone by CarrierIQ. The FCC noted that the FCC did not take action against carriers that offered or allowed that HTC phone on their networks, but the Ruling now puts carriers on notice that carriers could be held liable for failure to ensure that a cellphone's operating systemis not vulnerable to cyberattacks that could lead to unauthorized access to the data collected and stored on the phone at the direction of the carrier.
Indirect Impact on Broad Ecosystem of Cellphone Application Providers
Perhaps themost complicated issue posed by the ruling is the indirect impact it will have on the broad ecosystemof cellphone application providers. The FCC took care tomake clear that carriers only have a duty to protect data stored on cellphones where the data is collected and stored at the direction of the carrier, through software such as CarrierIQ. Where a user downloads an application, or chooses a phone with a pre-loaded application, and the application collects and stores data, the carrier is not responsible for the protection of that data. However, the line can become blurred between data collected at the direction of the carrier by software embedded on the phone by the carrier, such as CarrierIQ, versus data collected and stored by applications preloaded on the phone by themanufacturer or downloaded by the user. For example, some applicationsmay be designed to interact with CarrierIQ. In order tomonitor the integrity of CarrierIQ, carriers alsomay conclude they need to more carefullymonitor what applications can interact with CarrierIQ and in what ways. Some applicationsmay not interact with CarrierIQ but may collect the same or similar information,making itmore difficult for carriers to pin-point the source of security and privacy breach.
The FCC took pains to explain that the Ruling was not intended to have a chilling effect on the broad-based ecosystemof cellphonemanufacturers, operating systemproviders and application developers. The FCC acknowledged the tremendous innovation being done by these companies. Nevertheless, we expect the Ruling will require careful analysis bymanufacturers and software developers in order tomeet the new FCC requirements as they are implemented by carriers.