This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
CPNI & BIAS: Protecting the Enterprise
Newsflash: The rules provided in the Open Internet Order otherwise known as "Net neutrality" are scheduled to become effective in less than two weeks, on June 12. Second newsflash: Court action is likely to occur prior to that date affecting some of the order's more controversial provisions. However, one of the lower visibility items (and there are many) not likely to be successfully challenged in the next few days involves guidance on issues related to the privacy of information that broadband providers collect and retain.
On May 20, the FCC's Enforcement Bureau released the first of what's expected to be many advisories addressing consumer privacy protection by broadband Internet access (BIAS) providers. There's a joke somewhere in that name, but I'll leave its creation to the professionals. Just know that when you see the word in all capitals, it's not a joke. The root of the issue is whether BIASes, which have essentially been reclassified as voice providers, are subject to a similar level of oversight as are traditional voice carriers. The answer is "almost." Why should you care? Because this is all about protecting consumer privacy. The truth is that, in these circumstances, enterprises -- as well as individual consumers -- are entitled to protection too!
Pretext in Context
Think back to the unsavory tactics of several well-known large companies back in 2007. At that time, certain individuals misrepresented themselves in an effort to gain access to otherwise confidential information regarding call traffic, volume, patterns, and anything else they deemed relevant in an effort to gain competitive advantage. Initially they were successful. But not for long. Does the word "pretexting" bring back any memories?
In response to these activities, Congress passed legislation and the FCC enacted rules designed to ensure that traditional voice carriers would agree to keep customer information confidential. That is, unless the carrier received clear and unequivocal permission to share the enterprise's information (as a consumer of the carrier's services, or "enterprise consumer") by that enterprise's designated representative. Now, in every agreement, an enterprise consumer has the option not to share its confidential and/or proprietary information regarding all of the elements previously mentioned.
With the Open Internet Order, and with the FCC's decision to treat BIASes under Title II of the Communications Act of 1934, the FCC has decided that BIASes must make reasonable efforts to protect enterprise consumer data in a way consistent with the way it has protected other proprietary enterprise consumer information. Because the underlying technology is vastly different, the industry has raised new issues and concerns about the protection of proprietary information that no longer "looks" like voice traffic of yore, but which functions in virtually identical ways. As such, Section 222 of the Open Internet Order was born.
Like Pirate Code
Specifically, the May 20 advisory addresses Section 222 of the Open Internet Order, which lays down the basics of the FCC's guidance. The word "guidance" is also key, particularly when coming from the Enforcement Bureau. I love quoting pirate Hector Barbossa, of Pirates of the Caribbean: The Curse of the Black Pearl, who speaks of the "pirate code" in the exactly same way. "The code is more what you'd call 'guidelines' than actual rules," he said.
Section 222(a) defines the duty of telecommunications carriers to protect the confidentiality of proprietary information of -- and relating to -- carriers, equipment manufacturers and customers. Section 222 (b) prohibits carriers that receive proprietary information from other carriers for the purpose of providing telecommunications from using that proprietary information for other purposes, including marketing. Section 222 (c) is the place where the Enforcement Bureau defines customer proprietary network information (CPNI), and outlines where and under what circumstances carriers can use CPNI without obtaining additional consent.
When the FCC adopted these rules, it opted to apply substantive rules without establishing -- at least for now -- any specific rules for implementation of these new obligations. What the FCC is requesting, and what it will use as its benchmark for enforcement, is whether or not BIAS providers have taken "reasonable, good-faith steps" to comply with the terms laid out in Section 222. Vague terms such as "reasonable, good-faith steps" are the stuff that lengthy litigation is made of, but this action represents a clear step forward in trying to treat providers of similar services in similar ways. Up to this point, BIAS providers that've been involved in the business of providing these services have been able to avoid the regulatory obligations carried by traditional voice providers since the pretexting scandal of 2007.
While the FCC will keep its finger on the pulse of these issues, it has indicated that it will direct its enforcement activities on the "reasonable good-faith steps" to follow the obligations defined in Section 222 for BIASes. This is in contrast to the technical obligations of protecting private enterprise information with terms that the commission hasn't yet defined. With this vague enforcement obligation, the May 20 notice suggests -- but does not mandate -- that BIAS providers contact the FCC's Enforcement Bureau for either formal or informal guidance on compliance. (Formal guidance is available here.)
The takeaway for end users is that coming soon, to a contract near you, is a new clause that suggests -- if not requires -- that the enterprise consumer either grant or deny consent for its BIAS to share or not share its specific usage information that's not limited to traditional voice. This is a very long-winded way of saying that it looks like the FCC is taking steps to regulate in a way that's more technology neutral than it's been. Maybe ever.