Mobile telephones seemingly can store everything nowadays. Consumers generally assume that this information is protected – safe from the hands of third party advertisers, service providers, etc.
In fact, Section 222 of the Telecommunications Act of 1934, as amended (the “Act”), establishes a duty on every telecommunications carrier to “protect the confidentiality of proprietary information of, and relating to . . . customers.” Carriers must take “reasonable precautions to prevent the unauthorized disclosure” of a customer’s proprietary information. The Federal Communications Commission (“FCC”) has adopted rules to implement these obligations.
But what exactly is considered proprietary and, therefore, confidential? Due to growing concerns about the privacy and security risks that consumers face when their carriers collect information about their use of the network, on June 27, 2013, the FCC issued its first Declaratory Ruling in the mobile telephone context clarifying precisely what information must be protected. The FCC’s main concern here is protecting information that is stored on mobile phones (even if that information is not yet stored on the carrier’s network).
What is CPNI?
CPNI stands for “customer proprietary network information,” and has been defined as information that relates to the quantity, technical configuration, type, destination, location and amount of use of the telecommunications services, which is made available to the carrier by the consumer solely by virtue of the carrier-consumer relationship.
Translated, this includes information such as the telephone numbers called by the consumer on his or her telephone, the frequency, duration and timing of such calls, and any services purchased by the consumer from the telephone company (such as call waiting).
The FCC noted that consumers are able to install third party applications on their mobile phones that collect sensitive personal information. Information stored on a mobile device that is not under the carrier’s control and not intended to be transmitted to the carrier (or is otherwise not accessible by the carrier) is not CPNI.
The fact that CPNI has not yet been transmitted to the carrier’s servers from a mobile device does not remove the data from the definition of CPNI if the collection has been done at the carrier’s direction.
Why Would Your Carrier Collect and Track CPNI?
The FCC is not barring the collection of CPNI on mobile devices. Quite the contrary – the FCC explained that tracking this information helps carriers improve their service to consumers (i.e., to become aware that calls are being dropped, that a specific geographic location has poor reception, etc.). Further, a carrier may use, disclose or permit access to CPNI “to initiate, render, bill, and collect for telecommunications services” or to “protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services.”
Where Does the Concern Arise that CPNI Is Not Protected?
Recent concerns about the unauthorized disclosure of CPNI have arisen largely because of vast changes in technology and the “insecure way in which some carriers caused software provided by Carrier IQ, Inc. to be installed on some mobile devices.” This software has been configured in such a way as to store a great deal of sensitive consumer information in an insecure manner, creating the possibility that it could be captured by malicious third party applications.
What Are the Carriers’ Obligations With Respect to CPNI?
The FCC specifically noted that the Act does not require mobile carriers to protect their customers against all possible privacy and security risks related to non-CPNI on a mobile device, including risks created by third party applications. Such risks are generally assumed by consumers by their use of such applications, and the Act does not extend to third party developers of such applications.
To the extent that wireless carriers have no ability to restrict third party applications from accessing data stored on a mobile device, the carriers still have an obligation to ensure that, if they choose to collect or store CPNI on a device and have access to, or control over, that data, the carriers take reasonable precautions to protect it from unauthorized access and disclosure by third party applications – by storing the CPNI in a location or form so that it is protected, such as in an encrypted format.
Bottom line: The definition of CPNI and the obligations flowing therefrom apply to information that telecommunications carriers cause to be stored on their customers’ mobile devices when the carriers or their designees have access to or control over that information solely by virtue of their relationship with the customer. That information must be protected.