FCC updates CPNI rules to protect carrier information on devices
By Michael Higgs
The Federal Communications Commission recently moved to close a technology gap in its Consumer Proprietary Network Information (CPNI) rules. Specifically, new software used by carriers installed on the end-user device is capable of collecting and storing information, such as numbers called and received, as well as the time, duration and location of calls. Because this sensitive information resides on the device, it is incumbent on the carriers to protect that data.
This latest update to the Commission’s CPNI rules was brought about by the Carrier IQ snafu of November 2011. Carrier IQ software was used by numerous carriers to receive information about how their networks—and the devices used on those networks—were performing. When a researcher discovered security vulnerabilities that permitted third parties to access the information collected by the Carrier IQ software from handsets, an investigation was launched into the overall security of sensitive information throughout the mobile services industry.
The FCC is cognizant of the many potential benefits that come with the collection of CPNI on mobile devices, but it seeks to ensure that the confidentiality of such CPNI is adequately protected and that it is used only as permitted under the law. While a carrier might have sufficient information in its own network to see that calls are being dropped in a specific area, the mobile device itself is in a better position to collection information about the reasons for the dropped calls.
Handset data is useful in determining which parts of a network are most in need of improvement, in seeing which models of phones are experiencing more problems than others, and in troubleshooting customer problems with the device or mobile service. It is because the collection and storage of CPNI on the end-user device creates foreseeable risks that the commission imposes security responsibilities on the carriers that engage in such practices.
The FCC’s CPNI rules heretofore protected consumers from the disclosure of information by carriers or their designees, but this recent declaratory ruling takes the CPNI rules one step beyond. Carriers are now responsible for cybersecurity and protecting CPNI information from theft or misappropriation at the handset level.
Note that not all information on the handset is covered by this ruling—personal pictures, e-mails, texts and the like are not at issue here. Also not included under this ruling are third-party applications installed by end users that might collect the same or similar kinds of information.
However, when CPNI is collected by the subscriber’s mobile device—provided the collection is undertaken at the carrier’s direction and that the carrier, or its designee, has access to or control over that information—it must be adequately protected by the carrier.