The FCC is asking about the security practices of carriers with respect to customer information stored on customer devices and the application of existing privacy and security requirements to that information. The Wireline and Wireless bureaus and General Counsel's Office jointly made the request in a public notice. It follows a series of questions from Capitol Hill about Carrier IQ software, raised by Rep. Ed Markey, D-Mass., Sen. Al Franken, D-Minn., and others in Congress (WID Dec 5 p5).
"I'm delighted the FCC is finally looking into the ways people's data is gathered from their mobile devices and how it is used," said John Simpson, consumer advocate at Consumer Watchdog, a group that's often been critical of Google and other Internet companies. "The extent of the monitoring that has been going on needs to be made clear so that necessary regulations to protect users' privacy can be implemented. Mobile has been the Wild West of the communications world where anything companies wanted to do was done. That's got to stop. The FCC needs to assert its authority and play the role of sheriff."
"The FCC is finally waking up [to] the consumer mobile privacy threat," said Jeff Chester, executive director of the Center for Digital Democracy. "Carriers, networks and their partners have amassed a vast geo-location user targeting complex. Mobile phones are 'phoning home' to marketers details of our daily lives without meaningful consumer protection rules in place."
But Free State Foundation President Randolph May said the FTC is probably better positioned to protect consumer privacy than the FCC. "There are obvious benefits to subscribers from storing customer-specific information on smartphones," he said. "For example, many consumers welcome the opportunity for real-time marketing that storage of such information makes possible. But privacy concerns are implicated as well. From my perspective, the key is providing consumers with clear notice concerning the carrier's practices and enabling consumer choice. It also seems to me that, at some point, FCC privacy jurisdiction ought to be shifted to the FTC. It is evident from the public notice's questions that the firms responsible for designing and making the devices, the software, and the operational systems in the devices have as much, or more, control over information storage capabilities and practices as the carriers. All of the practices of these non-carriers are subject to FTC jurisdiction, and it probably makes sense for there to be a uniform regime."
"Since the Commission last solicited public input on this question five years ago, technologies and business practices have evolved dramatically," the notice said (http://xrl.us/bm9pom). "The devices consumers use to access mobile wireless networks have become more sophisticated and powerful, and their expanded capabilities have at times been used by wireless providers to collect information about particular customers' use of the network — sometimes, it appears, without informing the customer."
The practice "may be a legitimate and effective way to improve the quality of wireless services," the notice continues. "At the same time, the collection, transmission, and storage of this customer-specific network information raise new privacy and security concerns." While the FCC gathered information in 2007, "in recent months, it has become clear that these submissions are badly out of date," the notice said. "Mobile carriers are directing the collection and storage of customer-specific information on mobile devices."
The notice cites answers AT&T and Sprint Nextel offered to Congress on their use of Carrier IQ software. "AT&T explained that it gathers customer-specific data as an 'enhance[ment of] its network reporting capabilities' and to collect information about its network from the perspective of its users' devices, 'a view that cannot be obtained from the network alone,'" the FCC said. "Sprint identified a 'legitimate need to deploy and use diagnostic software in the maintenance and operation of [Sprint's] services' and described how Sprint worked with the software vendor to customize data collection for Sprint's devices and network." Comments are due 30 days after the notice is published in the Federal Register, replies 15 days later.
The FCC also released a staff report on location-based services (http://xrl.us/bm9qp4). "Among other things, LBS let users access relevant and up-to-date information about their surroundings, inform others of their
whereabouts, and get instant access to maps and traffic information for their current location," the report said. "Whether used for fleet tracking or inventory management, for machine-to-machine communications, or for social networking or entertainment, LBS can create a more dynamic user experience that adds value and convenience and changes the way people transact business and organize their activities and free time."