Privacy and Net Neutrality
- FCC Announces Enforcement Action on Location Privacy: FCC Chairman Pai has announced upcoming enforcement actions against wireless carriers that disclosed subscribers' location data. Last year Members of Congress called an emergency briefing with the FCC and urged the agency to investigate companies that were selling subscribers' location data. EPIC has long advocated for protection of location data. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed a amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information. EPIC maintains detailed webpages on location privacy. (Jan. 31, 2020)
- EPIC Advises FCC to Protect Privacy of Lifeline Subscribers: In comments on an FCC proposed rule, EPIC said that the agency should not track the Internet use of Lifeline subscribers. Lifeline is a federal program that provides broadband service to economically disadvantaged Americans. The FCC is proposing that Lifeline subscribers install apps to track their data usage and that companies retain detailed records about Internet use by Lifeline subscribers. EPIC said: "Americans should not be required to sacrifice their privacy to access the Internet." EPIC led a campaign and petition opposing the FCC's requirement that telephone carriers retain detailed records of American telephone customers. (Jan. 28, 2020)
- Congress Enacts Robocall Legislation: Congress has passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019. The TRACED Act establishes penalties for certain robocalls and requires voice service provide to develop call authentication technologies. The FCC will develop rules to limit unwanted calls or texts from a caller using an unauthenticated number. EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments to the FCC, and filed multiple amicus briefs in appellate courts emphasizing the need to limit robocalls. (Jan. 2, 2020)
- EPIC to Congress: FCC Must Protect Consumers From Location Tracking and Phone Record Surveillance: Prior to an FCC oversight hearing, EPIC sent a statement to the Senate Commerce Committee outlining priorities for the agency: ending the data retention regulation and protecting location data. In 2015, EPIC petitioned the FCC to repeal the data retention regulation, which requires telephone companies to keep all telephone customer records for 18 months. Every comment received by the FCC favored the EPIC petition, yet the agency has failed to withdraw the regulation. EPIC has long worked to ensure that telephone users are protected from invasive practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Jun. 12, 2019)
- EPIC Again Urges FCC to Repeal Data Retention Regulation: EPIC filed comments with the Federal Communications Commission again urging the agency to repeal a regulation that requires the bulk retention of calling records of American telephone customers. EPIC and a coalition of civil rights organizations, technical experts and legal scholars first signed a petition for repeal of the FCC regulation three years ago. When the FCC docketed the petition for public comment, every comment received by the agency favored the EPIC petition to end the data retention regulation. In comments to the agency last year, EPIC again urged the FCC to drop the requirement. In response to an agency proposal to extend the rule, EPIC explained that "the regulation is unduly burdensome, ineffectual, and threatens privacy and security." EPIC also pointed to recent cases in Europe prohibiting the mass retention of phone records. "The United States has fallen behind other advanced democracies around the world" explained EPIC to the FCC. (May. 13, 2019)
- New FCC Regulation of Robocalls: The FCC published a final rule on robocalls that establishes a single database for reassigned phone numbers, sets a minimum period of 45 days before a disconnected number may be reassigned to a new subscriber, and adopts a limited safe harbor from liability for any caller that relies upon inaccurate information in the database. EPIC submitted comments for this rulemaking, recommending that the FCC (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC has long advocated for robust telephone privacy protections. EPIC filed an amicus brief in 2015 that strengthened consumer protections for robocalls. (Mar. 29, 2019)
- EPIC Urges Senate Committee to Press FCC on Privacy: EPIC has sent a statement to the Senate Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to protect online privacy. EPIC also asked the Committee to press the FCC to repeal a regulation that requires the retention of telephone customer records for 18 months. EPIC filed the petition urging the repeal of this mandate more than two years ago. Every comment received by the FCC favored the EPIC petition. EPIC has submitted multiple comments to the FCC to strengthen online privacy and has recommended an industry neutral and comprehensive privacy framework. (Aug. 15, 2018)
- EPIC Urges FCC To End The Data Retention Mandate: EPIC has sent a letter to the Federal Communications Commission urging the FCC to act immediately on a Petition submitted by EPIC and a coalition of civil rights organizations, technical experts and legal scholars exactly three years ago. The Petition called for an end to the FCC rule requiring the mass retention of phone records, known as the “data retention mandate.” EPIC explained in the Petition that the rule was “unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers. The U.S. Supreme Court recently declared that cell phone location records are protected under the Fourth Amendment in Carpenter v. United States. EPIC wrote in the letter that “as we anticipated in the original Petition, the retention of cell phone data implicates constitutional interests.” All of the comments received by the FCC on this topic favored an end to the mandate. (Aug. 2, 2018)
- EPIC Urges House Committee to Push FCC on Comprehensive Privacy Plan: EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to develop a comprehensive plan for online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections. (Jul. 24, 2018)
- EPIC Urges Congress to Focus on FCC and Privacy: EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC's role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections. (Jul. 27, 2017)
EPIC is a leading privacy advocate before the FCC. In response to EPIC's 2005 petition, the FCC issued a rulemaking strengthening privacy protections for consumers’ telephone records. The D.C. Circuit upheld the rulemaking, establishing support for opt-in privacy safeguards.
In 2010, EPIC wrote to the FCC urging the Commission to investigate Google’s “Street View” vehicle collection practices. The FCC undertook an investigation and in 2012 issued an interim report and fined Google $25,000, finding that the company had obstructed the agency’s investigation. EPIC also filed a FOIA request for the agency’s report, which Google finally released unredacted.
EPIC participated in the Commission’s 2013 rulemaking regarding the privacy of stored data on mobile devices. EPIC filed comments with the FCC urging the Commission to require mobile carriers to implement fair information practices and to adopt techniques for encryption. The FCC ruled that telecommunications carriers must follow the safeguards for Consumer Proprietary Network Information for information stored on mobile devices.
Most recently, EPIC further urged the FCC to investigate Verizon's disclosure of customer record information to the NSA and to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. In conjunction with these action letters, EPIC joined a 2013 petition to the Federal Communications Commission asking the FCC to rule that the sale of consumer phone records to the government is a violation of the federal Communications Act. The petition is currently pending before the Commission.
What is Net Neutrality?
Net neutrality stands for the principle that broadband providers - often referred to as "ISPs," or Internet service providers - should give equal treatment to Internet communications and data flowing over their networks. The FCC has recently approved an extension of net neutrality in the 2015 Open Internet Order. The 2015 Open Internet Order is a rule that reclassifies internet service providers as "telecommunications services" under the Telecommunications Act of 1996. This allows the FCC to regulate certain aspects of ISP behavior.
Before the 2015 Open Internet Order, internet service providers were not classified as "common carriers." A "common carrier" is a company that provides services to the general public and is responsible for the quality and delivery of those services. For example, gas pipelines, electric companies, railroads, and "telecommunications services" (like phone companies) are all "common carriers." This is an important classification, because the government regulates common carriers under different laws and authorities than private companies.
In 2010, while ISPs were not yet classified as telecommunications services, the FCC promulgated a set of net neutrality rules using its authority under Section 706 of the Telecommunications Act. (Section 706 mandates the FCC to encourage the deployment of advanced telecommunications services and to take action if necessary to accelerate deployment.) The FCC's 2010 Order prohibited internet service providers from blocking content, engaging in discriminatory practices such as slowing down or speeding up content of certain end users and content providers, and required ISPs to transparently disclosure network management practices.
The D.C. Circuit ruled in 2010 that the FCC could not regulate ISPs as though they were telecommunications services. However, the D.C. Circuit upheld the FCC’s general authority to promulgate open Internet rules with its Section 706 authority. In response to the D.C. Circuit’s ruling, the FCC announced a new notice of proposed rulemaking regarding open Internet rules. The Commission recently passed its new Open Internet Order by a vote of 3-2.
Under the new Open Internet Order, internet service providers are no longer classified as "information services" under Title I of the Telecommunications Act. Instead, they are classified as common carriers - and specifically, as telecommunications services - and can be regulated under Title II of the Telecommunications Act. This means that the rules that apply to telecommunications services under Title II will now also apply to internet service providers.
What does that have to do with privacy?
Several of the Title II rules - which now apply to ISPs - contain provisions about privacy. These provisions did not apply to ISPs before the 2015 Open Internet Order, but now they do apply. Under the Communications Act of 1934, the FCC can "forbear," or choose not to apply, any rules in Title II that are "no longer in the public interest." In the 2015 Open Internet Order, the FCC made clear that it will forbear most of the provisions of Title II. It will NOT forbear (that is, it WILL apply) sections 201, 202, 206, 207, 208, 209, 216, 217, 222, 224, 225, 254, and 255. Two of these in particular - Sections 201 and 222 - will have a significant impact on consumer privacy.
Prior to the Open Internet Order, the Federal Trade Commission was the primary agency that brought enforcement actions against internet companies that violated consumer privacy. However, Section 5(2)(a) of the FTC Act prohibits the FTC from pursuing actions against “common carriers subject to the Acts to regulate commerce.” The Open Internet Order’s reclassification of broadband Internet access service as a “telecommunications service” makes broadband providers common carriers - at least in their capacity as internet service providers.
The FCC will enforce Section 201 against internet service providers. Section 201(b) of Title II provides that “[a]ll charges, practices, classifications and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.” Section 201’s "just and reasonable standard" is much like the FTC’s Section 5 "deceptive and unfair" standard. The FCC in the past has stated that its Section 201 authority is functionally equivalent to the FTC’s Section 5 authority.
The FCC may pursue broadband providers for unreasonable data security practices. The agency can use Section 201 to ensure that broadband providers take just and reasonable means to protect consumers’ personal data. In 2014, the FCC brought its first data security action, finding that two companies’ failure to protect consumers’ personal data by either encryption or password - “even the most basic and readily available technologies and security features” - constitutes an unjust and unreasonable practice.
Under the Open Internet Order, the FCC will also enforce the consumer privacy provision of Title II, Section 222. This section aims to protect consumers’ personal information collected by carriers, as a result of the customer-carrier relationship. Under this section, carriers must “protect the confidentiality of [consumers’] proprietary information” from unauthorized use and unlawful disclosure. Congress distinguishes between individually identifiable information and aggregate information, “according the category of customer proprietary network information (CPNI) the greatest level of protection.”
CPNI and Consumer Data Under Section 222
CPNI is defined in this section as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” In 1998 the FCC issued rules implementing Section 222’s statutory obligations. In 2007, in response to a petition by EPIC, the FCC issued additional rules regarding CPNI compliance. (However, the Open Internet Order forbears these rules, as they mostly relate to voice and telephone-specific data.) The FTC will conduct a rulemaking to determine how Section 222 and CPNI will apply to broadband Internet access service providers.
Pending that rulemaking, it is still uncertain how much customer data Section 222 covers. This Section could potentially cover all personally identifiable customer data, such as web-browsing history and geo-location data, that is stored on a device or that a broadband service provider tracks as a consequence of the customer-carrier relationship. The language of the Open Internet Order suggests that the FCC is looking to set meaningful privacy and security baselines that broadband providers must follow. Although the specifics as to what customer data will be covered and to what extent are not yet known, the scope of the provision as applied to broadband providers seems appropriately tailored to the full extent of sensitive information broadband providers collect, track, and retain solely incident to their role as an Internet access provider: “As broadband Internet access service users access and distribute information online, the information is sent through their broadband provider. Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers.”
Section 222(a): Protecting the Confidentiality of Proprietary Information
Section 222(a) provides that carriers protect the confidentiality of consumers’ “proprietary information.” While proprietary information is left undefined in the statute, the FCC recently interpreted proprietary information as “broadly encompass[ing] all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of privacy.” The FCC further determined that “the scope of ‘proprietary information’ protected by Section 222(a) is broader than the statutorily defined term ‘customer proprietary network information’ (CPNI),” including “privileged information, trade secrets, and personally identifiable information (PII).” The FCC cited without adopting the National Institute of Standards and Technology (NIST) definition of PII, finding it to be “informative,” and also clarified that “[i]n general, PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”
Section 222(c)(1): Use and Disclosure of CPNI
Under this subsection carriers may not use, disclose, or allow access to consumers’ personally identifiable CPNI without the express consent of the customer. Carriers may use CPNI for in-house marketing of other communications services, as well as disclose such information to its agents and affiliates for such purpose, only after providing each customer notice and opportunity to opt-out of having their personal information being used for marketing purposes. Furthermore, carriers may not sell or disclose CPNI to venture partners or third parties without a customer’s opt-in consent. Customer data used in the aggregate and not personally identifiable is not subject to these restrictions on use, disclosure, and access.
The FCC's 2010 transparency rule requires broadband providers to “publicly disclose accurate information regarding the network management practices, performance, and commercial terms” of their broadband service so that consumers may make informed decisions and get what they pay for with no last minute surprises regarding price, speed, and data privacy and security practices. The Open Internet Order enhances this rule. Enhancements include disclosure of packet-loss and more just in-time notifications. The FCC will give safe harbor to those broadband providers who voluntarily adopt disclosure formats that are standalone and easy to ready, “similar to a nutrition label.”
Thus, under the 2015 Open Internet Order, the FCC can use its Section 201 authority to hold liable a provider that makes inaccurate or deceptive representations in connection with the transparency disclosure requirements.
The Open Internet Order mandates compliance with federal surveillance statutes - Communications Assistance for Law Enforcement Act (CALEA), Electronic Communications Privacy Act (ECPA), and Foreign Intelligence Surveillance Act (FISA). Although the applicability of these statutes to broadband Internet providers is not new, the Order’s surveillance compliance mandate is at odds with its focus on customer privacy and data security. While the Order increases the level of privacy and data security protections broadband providers must afford their customers, the Order still requires broadband providers to comply with federal surveillance statutes that weaken the privacy and security of broadband provider networks. CALEA is particularly troublesome, as it requires telecommunications carriers to construct their network in such a way that allows the government a backdoor into the network, for surveillance purposes. These backdoors create heightened network security vulnerabilities, allowing access not just to the government but also hackers and criminals.
- In re TerraCom, Inc. and YourTel America, Inc. (2014) (Section 201, 222(a), data security)
- In the Matter of Verizon, Inc. (2014) (Section 222(c))
- In the Matter of Sprint Corp. (2014) (Do Not Call/Text privacy)
- In the Matter of CenturyLink, Inc. (2012) (Compliance with Rules and Regulations Governing Customer Proprietary Network Information)
- In the Matter of Verizon (2012) (Compliance with the Commission’s Rules and Regulations Governing Customer Proprietary Network Information and Toll Free Numbering)
Related FOIA Work
- FOIA to FCC on President Trump - Chairman Pai Meeting (March 21, 2017)
- Production - Scheduling E-mails (June 6, 2017)
- Open Internet Order of 2015, 80 Fed. Reg. 19737 (2015)
- FCC Open Internet Order Announcement, 2015
- FCC Open Internet Order Website
- White House Net Neutrality Website
- FCC Open Internet Order Summary
- FCC Open Internet Order Fact Sheet
- FCC Notice of Proposed Rulemaking - In the Matter of Protecting and Promoting the Open Internet, May 14, 2014
- Verizon v. FCC
- FCC Open Internet Rules (2010)
- Communications Act, Section 222
- Telecommunications Act, Section 706
- Communications Act Section 551, protection of cable and satellite subscriber privacy
- EPIC: What is CPNI?
- CPNI Implementing Rules
- FCC Declaratory Ruling, Section 222 (2013)
- FCC 2007 CPNI Order
- EPIC 2005 Petition for Rulemaking to Enhance Security and Authentication Standards for Acces to Customer Proprietary Network Information
- 2002 CPNI order
- CPNI enforcement actions
- FTC Act, Section 5(a)(2)
- EPIC: Foreign Intelligence Surveillance Act (FISA)
- EPIC: Electronic Communication Privacy Act (ECPA)
- EPIC: Wiretapping and the Communications Assistance for Law Enforcement Act (CALEA)
- NCTA v. FCC - Concerning Privacy of Customer Proprietary Network Information (CPNI)
- EPIC: FCC v. Google Street View
- Tim Wu, Network Neutrality, Broadband Discrimination, 2003
- EPIC: FCC v. AT&T
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.