New America Foundation’s Open Technology Institute, Benton Foundation, Center for Media Justice, Chicago Media Action, Free Press, Institute for Local Self-Reliance, Media Alliance, Peoples Production House, Public Knowledge, and The Peoples Channel & Durham Community Media submitted these comments in response to the Public Notice released by the Federal Communications Commission’s Wireline Competition Bureau, Wireless Telecommunications Bureau, and Office of General Counsel “regarding the privacy and data-security practices of mobile wireless service providers with respect to customer information stored on their users’ mobile communications devices, and the application of existing privacy and security requirements to that information.”
As the Commission correctly notes in its Public Notice, it is time to refresh the record “concerning the practices of mobile wireless service providers with respect to information stored on their customers’ mobile communications devices.” In so doing, the Commission should carefully examine the data collection practices of carriers as well as those of the applications, like Carrier IQ, under the carriers’ direction.
Commenters ask the Commission to find that these data collection practices fall within the scope of CPNI contemplated in § 222 of the Telecommunications Act and do not clearly fall under any of the statutory exemptions listed in the statute. Importantly, Commenters highlight the need for the Commission to not merely take the carriers’ self-assessments of these practices at face value, given the variety of incentives in play as well as the carriers’ inconsistencies in the 2007 proceeding.
In addition, Commenters ask the Commission to adopt an “opt-in” rather than “opt-out” disclosure and consent regime for all collection by carriers and applications under their direction of CPNI data as well as any sharing of CPNI data to third parties. Given the degree to which applications like Carrier IQ are integrated into mobile device architecture, it is extremely difficult for ordinary users to both understand how those applications are being used, and also to know how and when to take adequate safeguards to protect their personal data.
Finally, Commenters ask the Commission to require carriers to re-disclose their data collection and sharing practices and renew customer consent once every six months. This requirement reflects the rapid pace at which mobile technology evolves and allows customers the opportunity to reflect on whether the collection of CPNI data aligns with their current privacy values. In addition, the requirement keeps the issue of privacy protection present both for individuals and for the group of mobile device customers as a whole, increasing broadly the level of engagement and understanding of privacy concerns in this space.
Read the full text of the comments here.