Aiming to “address the real privacy and security risks that consumers face when telecommunications carriers use their control of customers’ mobile devices to collect information about their customers’ use of the network,” the Federal Communications Commission (FCC) has adopted a Declaratory Ruling holding that the existing rules requiring carriers to protect customer proprietary network information (CPNI) apply to CPNI collected by mobile devices when such collection is undertaken at the carrier’s direction and the carrier has access to or control over that information. The FCC further clarified that this obligation applies even while the CPNI resides on the handset prior to transmission to the carrier’s servers.  The Declaratory Ruling does not restrict carriers’ ability to collect CPNI using customer handsets, but holds that if the carrier chooses to do so, it must protect the CPNI it collects.

The Declaratory Ruling applies only to the providers of common carrier and interconnected VoIP services covered by the CPNI rules, although the ruling could raise expectations that other wireless broadband providers engaged in device-based data collection will also protect that data against unauthorized disclosure and use.

Following is a summary of the main points of the Declaratory Ruling.

Many Data Elements Collected by Mobile Devices Fit the Definition of CPNI.  The statutory definition of CPNI is “information that [1] relates to the quantity, technical configuration, type, destination, location, and amount of use of a [customer’s] telecommunications service . . . [2] that is made available to the carrier by the customer [3] solely by virtue of the carrier-customer relationship.”  The FCC concluded that this type of information, even when collected or stored on a mobile device, falls within the definition of CPNI and is therefore subject to the rules governing such information.  Using the 2011 controversy over certain carriers’ use of the Carrier IQ diagnostic software as an example, the FCC explained that when software installed on a handset to collect this information for carriers is not properly secured, other entities or applications may access the CPNI, resulting in the potential disclosure of location and other data.

The Declaratory Ruling acknowledges that some information collected by Carrier IQ-type network diagnostic software, such as information on access to the carrier’s data network or URLs visited by a handset’s browser, may fall outside of the definition of CPNI.  According to the FCC, however, that fact does invalidate the principle that data that does meet the definition of CPNI must be protected as such.

The FCC explained that CPNI collected by a handset at the carrier’s direction is “made available” to the carrier even while it is stored on the handset prior to transmission to the carrier’s own servers.  Even if the information has not yet been transmitted, the configuration of the device puts the data “under the carrier’s control for all practical purposes,” and therefore “made available” to the carrier.  Thus the CPNI must be protected while resident on the customer’s handset, as well as during transmission and while on the carrier’s own servers.

CPNI collected on handsets is also “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” because the carrier “is in a unique position with respect to its customers when it configures a mobile device to collect the information before the device is sold to a customer.”  The same is not true for information collected and stored on the handset by third-party applications installed on the handset by the consumer – even when the data might otherwise fit the definition of CPNI – because in that case the information is not under the carrier’s control and not intended to be transmitted to the carrier.

Carriers Must Take Reasonable Precautions to Prevent Unauthorized Disclosure of CPNI Collected on Handsets.  Obligations carriers have under FCC rules to protect and prevent misuse of their customers’ CPNI applies equally to CPNI collected on customer handsets.

Thus, if a carrier chooses to collect or store CPNI on a handset, the carrier must take reasonable precautions to prevent unauthorized access and disclosure, including access that might be obtained by third-party applications the customer may have installed on the handset.  The Commission recognizes, however, that given the openness of modern smartphones it cannot require carriers to protect customers against “all possible privacy and security risks . . . , including risks created by third-party applications.”

As with other CPNI a carrier may have access to, carriers are free to use CPNI collected from handsets to “assess and improve the performance of its network and to provide information to customer-support representatives without the customer’s specific approval.”  Similarly, as with CPNI collected by other means, carriers are not restricted in using CPNI collected from handsets if the data has been aggregated, with individual customer identities and characteristics removed.

Consistency with Other Privacy Laws and Initiatives.  In response to an argument raised by CTIA,  the nonprofit organization that represents the wireless industry, the FCC explained that the clarifications made in the Declaratory Ruling are consistent with the Stored Communications Act.  Further, while noting that mobile privacy issues are also being addressed through industry best practice development efforts by standards-development organization ATIS, and in the NTIA-led multistakeholder process to develop a privacy code of conduct for mobile apps, the FCC concluded that neither of these initiatives is a substitute for the FCC’s obligation to fulfill its statutory role” to ensure appropriate protection of CPNI.