Privacy and Net Neutrality
- EPIC Launches Campaign to End FCC Data Retention Mandate: EPIC launched the "My Calls, My Data" campaign today, urging the public to support a proposal to end the FCC's data retention mandate. The 1986 regulation requires telephone companies to keep the telephone numbers dialed, date, time, and call length of all U.S. telephone customers for an 18-month period. An EPIC-led coalition filed a petition in 2015 calling for repeal of the rule, saying that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition." The FCC is now seeking comments. "There is hardly a better regulation to end than the FCC's data retention mandate," said EPIC President Marc Rotenberg. "It is ineffective, burdensome, and costly." Comments may be filed online and are due by June 16, 2017. (Jun. 13, 2017)
- FCC Responds to EPIC's Petition, Seeks Public Comment on Data Retention Mandate: The FCC is seeking comments on an EPIC's petition to revoke the FCC's rule requiring mandatory retention of phone records. Current FCC regulations require phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and call length. The petition, filed in August 2015, states that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition. It is outdated and ineffective. It should end." The EPIC petition is supported by a broad coalition of civil liberties organizations, technical experts, and legal scholars. The FCC docket number is 17-130. Comments are due on June 16, 2017. (Jun. 7, 2017)
- EPIC, Coalition Urge FCC to Act on Petition to End Call Data Retention: EPIC and a coalition of leading civil society organizations have sent a letter to the Federal Communications Commission urging the Commission to act immediately upon a petition submitted by an EPIC-led coalition almost two years ago. The petition called for an end to the FCC rule requiring the mass retention of phone records. The privacy organizations said that the FCC regulation was "unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers." The FCC requires phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and length. The coalition letter states that "the time has come to give the public the opportunity to comment on whether the data retention mandate should continue." (Apr. 23, 2017)
- Trump Repeals Broadband Privacy Safeguards: Donald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, and also explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records. (Apr. 4, 2017)
- EPIC Seeks Documents on Trump - Pai White House Meeting: EPIC has filed an urgent FOIA request with the FCC for information on the recent meeting between FCC Chairman Ajit Pai and President Donald Trump. EPIC is seeking memos, briefing papers, emails, and talking points relating to the White House meeting that took place on March 6, 2017. EPIC said in the FOIA request that public disclosure of this is critical as President Trump has described the media, which is subject to FCC regulation, as the "enemy of the people." FCC Chair Pai also recently suspended parts of a broadband privacy order that protects Internet users from invasive tracking and profiling. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also has a long-standing petition before the FCC to end the mandatory retention of customer telephone records. (Mar. 9, 2017)
- EPIC to Senate: Back FCC Broadband Privacy Rule, End FCC Bulk Data Collection: EPIC has sent a letter to the Senate Commerce Committee ahead of an FCC oversight hearing. EPIC urged the Committee to examine the FCC's role in online privacy. EPIC supports the FCC's broadband privacy rule. In fact, EPIC had urged the FCC to adopt a comprehensive privacy rule for all communications services, as suggested by FCC Chairman Pai. EPIC also brought to the Committee's attention an outdated FCC regulation that requires the bulk collection of telephone data of American consumers. In 2015, EPIC and many consumer privacy groups petitioned the FCC to repeal, but the Commission has yet to take any action. In the letter to the Senate, EPIC said the FCC should withdraw the anti-privacy, data retention regulation. (Mar. 7, 2017)
- EPIC, Children's Advocates Oppose Requests to End FCC Broadband Privacy Rules: EPIC and a coalition of children's advocates have filed a comment opposing petitions that ask the FCC to revoke its broadband privacy rules. The coalition urged the FCC to retain rules that treat children's data, web browsing histories, and app usage data as sensitive and to retain opt-in requirements for all categories of sensitive information. EPIC previously urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Mar. 6, 2017)
- EPIC Calls on FCC to Prohibit Forced Arbitration: EPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Jan. 12, 2017)
- European Communications Privacy Law Strengthens Rights for Internet Users: A draft of the update to the European "e-Privacy Directive" provides important new safeguards for users of Internet-based services. The new regulation will apply to all online communications services, including email, instant messaging, and social media. The updated privacy law will limit tracking and profiling of Internet users. The report notes that lax rules for companies such as Facebook and Skype, "create a void of protection of confidentiality for the users of these services." The US FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The EU Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation. The Commission's formal proposal is expected in January of 2017 (Dec. 14, 2016)
- FCC Adopts Modest Privacy Rules for Broadband Services: The Federal Communications Commission today approved privacy regulations for broadband services. The rules require ISPs to obtain consumers’ consent for "sensitive" information, which includes web browsing history and app usage, but excludes IP and MAC addresses which are also used to track Internet users. (A document obtained by EPIC under the FOIA indicates that Google lobbied for this exception.) The rules establish data breach notification requirements but permit companies to charge users for privacy protection and permit arbitration when violations of privacy rights occur. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Oct. 27, 2016)
EPIC is a leading privacy advocate before the FCC. In response to EPIC's 2005 petition, the FCC issued a rulemaking strengthening privacy protections for consumers’ telephone records. The D.C. Circuit upheld the rulemaking, establishing support for opt-in privacy safeguards.
In 2010, EPIC wrote to the FCC urging the Commission to investigate Google’s “Street View” vehicle collection practices. The FCC undertook an investigation and in 2012 issued an interim report and fined Google $25,000, finding that the company had obstructed the agency’s investigation. EPIC also filed a FOIA request for the agency’s report, which Google finally released unredacted.
EPIC participated in the Commission’s 2013 rulemaking regarding the privacy of stored data on mobile devices. EPIC filed comments with the FCC urging the Commission to require mobile carriers to implement fair information practices and to adopt techniques for encryption. The FCC ruled that telecommunications carriers must follow the safeguards for Consumer Proprietary Network Information for information stored on mobile devices.
Most recently, EPIC further urged the FCC to investigate Verizon's disclosure of customer record information to the NSA and to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. In conjunction with these action letters, EPIC joined a 2013 petition to the Federal Communications Commission asking the FCC to rule that the sale of consumer phone records to the government is a violation of the federal Communications Act. The petition is currently pending before the Commission.
What is Net Neutrality?
Net neutrality stands for the principle that broadband providers - often referred to as "ISPs," or Internet service providers - should give equal treatment to Internet communications and data flowing over their networks. The FCC has recently approved an extension of net neutrality in the 2015 Open Internet Order. The 2015 Open Internet Order is a rule that reclassifies internet service providers as "telecommunications services" under the Telecommunications Act of 1996. This allows the FCC to regulate certain aspects of ISP behavior.
Before the 2015 Open Internet Order, internet service providers were not classified as "common carriers." A "common carrier" is a company that provides services to the general public and is responsible for the quality and delivery of those services. For example, gas pipelines, electric companies, railroads, and "telecommunications services" (like phone companies) are all "common carriers." This is an important classification, because the government regulates common carriers under different laws and authorities than private companies.
In 2010, while ISPs were not yet classified as telecommunications services, the FCC promulgated a set of net neutrality rules using its authority under Section 706 of the Telecommunications Act. (Section 706 mandates the FCC to encourage the deployment of advanced telecommunications services and to take action if necessary to accelerate deployment.) The FCC's 2010 Order prohibited internet service providers from blocking content, engaging in discriminatory practices such as slowing down or speeding up content of certain end users and content providers, and required ISPs to transparently disclosure network management practices.
The D.C. Circuit ruled in 2010 that the FCC could not regulate ISPs as though they were telecommunications services. However, the D.C. Circuit upheld the FCC’s general authority to promulgate open Internet rules with its Section 706 authority. In response to the D.C. Circuit’s ruling, the FCC announced a new notice of proposed rulemaking regarding open Internet rules. The Commission recently passed its new Open Internet Order by a vote of 3-2.
Under the new Open Internet Order, internet service providers are no longer classified as "information services" under Title I of the Telecommunications Act. Instead, they are classified as common carriers - and specifically, as telecommunications services - and can be regulated under Title II of the Telecommunications Act. This means that the rules that apply to telecommunications services under Title II will now also apply to internet service providers.
What does that have to do with privacy?
Several of the Title II rules - which now apply to ISPs - contain provisions about privacy. These provisions did not apply to ISPs before the 2015 Open Internet Order, but now they do apply. Under the Communications Act of 1934, the FCC can "forbear," or choose not to apply, any rules in Title II that are "no longer in the public interest." In the 2015 Open Internet Order, the FCC made clear that it will forbear most of the provisions of Title II. It will NOT forbear (that is, it WILL apply) sections 201, 202, 206, 207, 208, 209, 216, 217, 222, 224, 225, 254, and 255. Two of these in particular - Sections 201 and 222 - will have a significant impact on consumer privacy.
Prior to the Open Internet Order, the Federal Trade Commission was the primary agency that brought enforcement actions against internet companies that violated consumer privacy. However, Section 5(2)(a) of the FTC Act prohibits the FTC from pursuing actions against “common carriers subject to the Acts to regulate commerce.” The Open Internet Order’s reclassification of broadband Internet access service as a “telecommunications service” makes broadband providers common carriers - at least in their capacity as internet service providers.
The FCC will enforce Section 201 against internet service providers. Section 201(b) of Title II provides that “[a]ll charges, practices, classifications and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.” Section 201’s "just and reasonable standard" is much like the FTC’s Section 5 "deceptive and unfair" standard. The FCC in the past has stated that its Section 201 authority is functionally equivalent to the FTC’s Section 5 authority.
The FCC may pursue broadband providers for unreasonable data security practices. The agency can use Section 201 to ensure that broadband providers take just and reasonable means to protect consumers’ personal data. In 2014, the FCC brought its first data security action, finding that two companies’ failure to protect consumers’ personal data by either encryption or password - “even the most basic and readily available technologies and security features” - constitutes an unjust and unreasonable practice.
Under the Open Internet Order, the FCC will also enforce the consumer privacy provision of Title II, Section 222. This section aims to protect consumers’ personal information collected by carriers, as a result of the customer-carrier relationship. Under this section, carriers must “protect the confidentiality of [consumers’] proprietary information” from unauthorized use and unlawful disclosure. Congress distinguishes between individually identifiable information and aggregate information, “according the category of customer proprietary network information (CPNI) the greatest level of protection.”
CPNI and Consumer Data Under Section 222
CPNI is defined in this section as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” In 1998 the FCC issued rules implementing Section 222’s statutory obligations. In 2007, in response to a petition by EPIC, the FCC issued additional rules regarding CPNI compliance. (However, the Open Internet Order forbears these rules, as they mostly relate to voice and telephone-specific data.) The FTC will conduct a rulemaking to determine how Section 222 and CPNI will apply to broadband Internet access service providers.
Pending that rulemaking, it is still uncertain how much customer data Section 222 covers. This Section could potentially cover all personally identifiable customer data, such as web-browsing history and geo-location data, that is stored on a device or that a broadband service provider tracks as a consequence of the customer-carrier relationship. The language of the Open Internet Order suggests that the FCC is looking to set meaningful privacy and security baselines that broadband providers must follow. Although the specifics as to what customer data will be covered and to what extent are not yet known, the scope of the provision as applied to broadband providers seems appropriately tailored to the full extent of sensitive information broadband providers collect, track, and retain solely incident to their role as an Internet access provider: “As broadband Internet access service users access and distribute information online, the information is sent through their broadband provider. Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers.”
Section 222(a): Protecting the Confidentiality of Proprietary Information
Section 222(a) provides that carriers protect the confidentiality of consumers’ “proprietary information.” While proprietary information is left undefined in the statute, the FCC recently interpreted proprietary information as “broadly encompass[ing] all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of privacy.” The FCC further determined that “the scope of ‘proprietary information’ protected by Section 222(a) is broader than the statutorily defined term ‘customer proprietary network information’ (CPNI),” including “privileged information, trade secrets, and personally identifiable information (PII).” The FCC cited without adopting the National Institute of Standards and Technology (NIST) definition of PII, finding it to be “informative,” and also clarified that “[i]n general, PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”
Section 222(c)(1): Use and Disclosure of CPNI
Under this subsection carriers may not use, disclose, or allow access to consumers’ personally identifiable CPNI without the express consent of the customer. Carriers may use CPNI for in-house marketing of other communications services, as well as disclose such information to its agents and affiliates for such purpose, only after providing each customer notice and opportunity to opt-out of having their personal information being used for marketing purposes. Furthermore, carriers may not sell or disclose CPNI to venture partners or third parties without a customer’s opt-in consent. Customer data used in the aggregate and not personally identifiable is not subject to these restrictions on use, disclosure, and access.
The FCC's 2010 transparency rule requires broadband providers to “publicly disclose accurate information regarding the network management practices, performance, and commercial terms” of their broadband service so that consumers may make informed decisions and get what they pay for with no last minute surprises regarding price, speed, and data privacy and security practices. The Open Internet Order enhances this rule. Enhancements include disclosure of packet-loss and more just in-time notifications. The FCC will give safe harbor to those broadband providers who voluntarily adopt disclosure formats that are standalone and easy to ready, “similar to a nutrition label.”
Thus, under the 2015 Open Internet Order, the FCC can use its Section 201 authority to hold liable a provider that makes inaccurate or deceptive representations in connection with the transparency disclosure requirements.
The Open Internet Order mandates compliance with federal surveillance statutes - Communications Assistance for Law Enforcement Act (CALEA), Electronic Communications Privacy Act (ECPA), and Foreign Intelligence Surveillance Act (FISA). Although the applicability of these statutes to broadband Internet providers is not new, the Order’s surveillance compliance mandate is at odds with its focus on customer privacy and data security. While the Order increases the level of privacy and data security protections broadband providers must afford their customers, the Order still requires broadband providers to comply with federal surveillance statutes that weaken the privacy and security of broadband provider networks. CALEA is particularly troublesome, as it requires telecommunications carriers to construct their network in such a way that allows the government a backdoor into the network, for surveillance purposes. These backdoors create heightened network security vulnerabilities, allowing access not just to the government but also hackers and criminals.
- In re TerraCom, Inc. and YourTel America, Inc. (2014) (Section 201, 222(a), data security)
- In the Matter of Verizon, Inc. (2014) (Section 222(c))
- In the Matter of Sprint Corp. (2014) (Do Not Call/Text privacy)
- In the Matter of CenturyLink, Inc. (2012) (Compliance with Rules and Regulations Governing Customer Proprietary Network Information)
- In the Matter of Verizon (2012) (Compliance with the Commission’s Rules and Regulations Governing Customer Proprietary Network Information and Toll Free Numbering)
- Open Internet Order of 2015, 80 Fed. Reg. 19737 (2015)
- FCC Open Internet Order Announcement, 2015
- FCC Open Internet Order Website
- White House Net Neutrality Website
- FCC Open Internet Order Summary
- FCC Open Internet Order Fact Sheet
- FCC Notice of Proposed Rulemaking - In the Matter of Protecting and Promoting the Open Internet, May 14, 2014
- Verizon v. FCC
- FCC Open Internet Rules (2010)
- Communications Act, Section 222
- Telecommunications Act, Section 706
- Communications Act Section 551, protection of cable and satellite subscriber privacy
- EPIC: What is CPNI?
- CPNI Implementing Rules
- FCC Declaratory Ruling, Section 222 (2013)
- FCC 2007 CPNI Order
- EPIC 2005 Petition for Rulemaking to Enhance Security and Authentication Standards for Acces to Customer Proprietary Network Information
- 2002 CPNI order
- CPNI enforcement actions
- FTC Act, Section 5(a)(2)
- EPIC: Foreign Intelligence Surveillance Act (FISA)
- EPIC: Electronic Communication Privacy Act (ECPA)
- EPIC: Wiretapping and the Communications Assistance for Law Enforcement Act (CALEA)
- NCTA v. FCC - Concerning Privacy of Customer Proprietary Network Information (CPNI)
- EPIC: FCC v. Google Street View
- Tim Wu, Network Neutrality, Broadband Discrimination, 2003
- EPIC: FCC v. AT&T
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,