The Federal Communications Commission’s (FCC) renewed inquiry into the privacy and security of information stored on mobile communications devices has run into a challenge to the agency’s authority to expand its regulation of wireless consumers’ on-device data. Wireless service providers argue that the Communications Act does not cover much of the customer-controlled information implicated by the FCC’s inquiry. The wireless providers also assert that their current privacy practices are adequate to protect end users.
At issue is the scope of so-called “Customer Proprietary Network Information,” which is defined by Section 222 of the Communications Act as (1) relating to the quantity, technical configuration, type, destination, location, or amount of use of a telecommunications service; (2) relating to service subscribed to by a specific customer; and (3) made available to the carrier by the customer solely by virtue of the carrier-customer relationship. The FCC’s current inquiry asks whether CPNI “could apply to information collected at a carrier’s direction even before it has been transmitted to the carrier.” (The FCC’s broad interpretation might therefore extend to information necessary to coordinate use of a smart phone or tablet as a payment device, including encrypted information.) The agency also asks whether carriers’ current security practices are sufficient under the FCC’s CPNI rules, whether the practices have created data-security vulnerabilities, whether privacy and data security should be greater considerations in the design of software for mobile devices, and what role disclosures of service providers’ practices to consumers should play. These questions raised wireless carrier concerns that the FCC might be going too far in trying to protect end user data, and introducing new regulatory and/or civil liability for wireless providers, and potentially their non-carrier partners.
Mobile payments stakeholders are paying particular attention to the FCC proceeding, which obviously could add yet another layer of regulation, albeit indirect, to the emerging suite of payment platforms. As we previously reported (http://www.paymentlawadvisor.com/2012/06/21/mobile-carrier-billing-at-risk/), the FCC recently adopted anti-cramming rules that certainly implicate mobile payment solutions delivered by wireless service providers. The FCC’s current CPNI inquiry also could leverage the agency’s jurisdiction over regulated telecommunications carriers into even broader restrictions, requirements and disclosures on those carriers which could be passed on to mobile payment companies dependent on wireless delivery systems.
The wireless carriers have not raised mobile payments issues directly so far with the FCC. Responding to the FCC concern regarding information collected at their direction, the wireless carriers argue that CPNI does not encompass “remote diagnostic data” or information stored on devices by customers, often controlled by Carrier IQ software that is inaccessible by customers. Remote diagnostic data includes device and network identifiers (e.g., tower or base station IDs), operating data (e.g., signal strength), and event data (e.g., whether a call was abandoned or dropped). With respect to the need to examine their security practices, wireless carriers also argue that information stored by customers on smart phones and tablets is outside the bounds of Section 222. Such information—which can range from calendar entries to remote payment apps—is not shared with carriers, does not relate to a telecommunications service and does not arise from the carrier-customer relationship.
Whether the carriers’ arguments regarding remote diagnostic data and customer-placed information curbs the FCC’s enthusiasm for expanding its rules is uncertain. A loose coalition of public interest groups continues to press the FCC to expand its rules to cover more customer-controlled data on mobile devices. One possible solution is for the FCC to defer to the National Telecommunications Information Administration, which is conducting a multi-stakeholder process to develop a consumer data privacy code of conduct for mobile application transparency. The FCC faces no hard deadline on concluding its current inquiry, and it appears unlikely the agency will move this matter forward before 2013, at the earliest. Thus, mobile payments stakeholders will have yet another potential federal rulemaking to monitor for the foreseeable future.