Regulatory Watch : CPNI Rules Leave Wireless Out in the Cold

When the FCC issued its rules (FCC 02-214) on the handling of customer proprietary network information (CPNI) in late July, it created more questions than it answered. One FCC commissioner believes definitions within the ruling “leave dangerous loopholes.”

It also failed to address privacy issues surrounding location-based services. That left the wireless industry wondering why.

“It’s a real loss,” says David Sobel, general counsel for the Electronic Privacy Information Center. “Both the industry and privacy advocates had supported the idea that the commission should address these issues in the early days of the development of these services.”

CPNI includes individually identifiable information regarding a customer’s phone usage, including the services to which they subscribe. CPNI also indicates to whom, where and when subscribers call. The industry has sought to protect users who don’t want their information sold to third parties. The rules the FCC released focus on the nature of customer approval required before a carrier can disclose or permit access to a customer’s CPNI.

Opt-in or Opt-out

At the heart of the matter are the tenets of opt-in and opt-out, terms used to describe how subscribers give or deny a carrier permission to use their information. The FCC’s ruling allows opt-out—that is, the subscriber’s knowing consent when giving CPNI to affiliated entities providing communications-related services, as well as third-party agents and joint-venture partners providing communications-related services. With opt-out, carriers are required to provide customers with advance notice that they intend to use a customer’s CPNI, and give customers an opportunity to disapprove of the use.

In contrast, opt-in requires the customer’s express permission before disclosing CPNI to third parties or to carrier affiliates that do not provide communications-related services. That would include magazine publishing houses or airlines, for instance.

According to the ruling, joint venture partners are those companies that work in conjunction with the primary carrier to provide telecommunications services. An example: Carrier A enters an agreement with Carrier B to provide Internet access or voice mail services. Carrier B can only use the information to sell the telecommunication services and cannot further disseminate that information to Web sites that sell retail services such as travel reservation services or mortgage lending companies.

Treatment of “affiliated entities” is different. If a telecommunications carrier provides different categories of service, and a customer subscribes to more than one category of service offered by the carrier, the carrier is permitted to share CPNI among the carrier’s affiliated entities that provide a service offering to the customer. A wireless division, for instance would be considered an affiliated entity.

Third-party agents include telemarketing companies and other firms that market services for the carrier. The agents are the responsibility of the carrier; the carrier is held liable for any misuse of CPNI by those organizations.

FCC Commissioner Michael J. Copps is bothered by what he sees as a lack of precision in these definitions. In a dissenting statement, Copps wrote that the ruling “does not adequately narrow the definition of ‘communications-related,’ ‘affiliates,’ ‘third-party agents,’ or ‘joint venture partners.’ Without careful definitions the restrictions leave dangerous loopholes. Thus, a telephone company could, without the permission of its customers, sell CPNI to any company that owns an ISP. That’s not good for privacy.” Copps further put his cards on the table: “In light of the grave privacy and competition harms that this order could cause, I respectfully dissent from those parts of this decision that allow carriers to use sensitive personal information without first obtaining the express approval of the customer.”

Apparently, some in the industry are also confused. “People call me up with questions that show me that people can read things differently,” says an FCC spokesperson. “It takes a little while to learn where the distinctions are, but I think the lines in the order are pretty clear.”

Addressing Location-based Services

The Cellular Telecommunications & Internet Association (CTIA) and privacy groups are vexed that the ruling did not address location-based services. CTIA sent the FCC a four-point plan regarding location-based privacy; Congress, in drafting E-911 legislation, also urged the FCC to consider the unique privacy issues regarding a person’s location and travel habits, but the FCC did not include those in its report.

“There are no rules for privacy for the location-based sector,” says CTIA spokeswoman Kim Quo. “But we encourage our industry to follow these privacy rules.” Encouraging wireless carriers that provide location-based services to follow privacy rules is one thing; legal constraints are another. As it now stands, wireless customers, by simply turning on their phones, supply information that belies basic privacy.

“If I get on a plane tomorrow and go to Chicago,” Sobel at the privacy center says, “the provider has the ability to know where I am. They need to know that so they can give me service. That does not involve consent.”

What about third-party marketers? Much has been said about sending text messages touting good restaurants to cell carriers or pinging travelers about discounts on hotel rooms. How do you get permission from the cell phone user to accept such marketing? The carrier, without legal guidelines, could give permission to unrelated entities about one’s travel habits. “If I turn on my phone in Chicago, am I agreeing to use of information that I was in Chicago?” Sobel asks.

The wireless industry wants rules governing location-based services, because it knows that spam on wireless phones could frustrate customers and lead to churn. “Wireless carriers realize that consumers can change carriers and being emailed by a bunch of vendors could hurt their business,” Quo says. “You want to protect your consumers so they don’t become irate.”

“There’s a vast amount of commercial use of this information.” Sobel says. “It’s a direct marketer’s dream of having the daily itinerary of certain individuals.”

The increasing interconnection among telecom devices translates into vulnerability for wireless subscribers. For instance, if one ties one’s home Internet email to a PDA device, the ability of intrusion multiplies. Quo cites the case of a friend who tied his Blackberry and cell phone to his home PC. Does that mean the user automatically opts in for marketing efforts?

“Suddenly your Blackberry has 40 messages, because you visited the ESPN site at home,” Quo says.

Sobel believes that location-based information in the wrong hands could wreak havoc on people’s lives—beyond telemarketing. “I think there are going to be more government agencies interested in gaining easy access to location information,” he says. “That does make it more critical to establish some guidelines so consumers understand what kind of information is collected and who has access to it.”

There are some interesting rules within the order:

• Telecommunications carriers may use or permit access to CPNI for the purpose of providing or marketing service offerings among categories of service to which the customer already subscribes from the same carrier.

• Carriers may not use CPNI to identify or track customers to determine whether customers are calling competing service providers.

• Providers of commercial mobile radio service (CMRS) may use CPNI for the purpose of conducting research on the health effects of CMRS.