[gnso-rds-pdp-wg] FCC 16-39: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

Carlton Samuels carlton.samuels at gmail.com
Sun Jun 12 19:29:53 UTC 2016 

I was asked to provide a synopsis and extract possible requirements from
the subject NPRM. It has taken longer than I intended so it comes with my
apologies.  Here it is under, with my apologies:
-----------------------------------------------------------

By a plurality of the votes, the [United States] Federal Communications
Commission (FCC) adopted and issued a so-called Notice of Proposed Rule
Making (NPRM) that addresses “Protecting the Privacy of Customers of
Broadband and Other Telecommunications Services”. See FCC 16-239: NOTICE OF
PROPOSED RULEMAKING Adopted: March 31, 2016 Released: April 1, 2016.


This NPRM
<http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0401/FCC-16-39A1.pdf>
is intended to regulate how Personal Identifier Information (PII) is used
and shared. The rules as proposed extend long-standing privacy protections
granted to consumers of traditional telephone services in Sections 222, 11,
631, 12 and 33813 of the Communications Act to broadband consumers – and,
by extension internet users occasioned by the recent classification of
broadband as a Class II service via FCC 15-24, the Open Internet Order
<https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-24A1.pdf>.


This NPRM refines the FCC's Customer Proprietary Network Information (CPNI)
rules, the set of rules derived from Section 222 of the Communications Act,
for enforcing privacy requirements by adding to and extending the set of
recognized PII’s.  CPNI is here defined as:


 “*information that relates to the quantity, technical configuration, type,
destination, location, and amount of use of a telecommunications service
subscribed to by any customer of a telecommunications carrier, and that is
made available to the carrier by the customer solely by virtue of the
carrier-customer relationship” and “information contained in the bills
pertaining to telephone exchange service or telephone toll service received
by a customer or a carrier,” except that CPNI “does not include subscriber
list information.” *


The FCC’s "*illustrative non-exhaustive guidance to types of data that are
PII*" that may be subject to protection was given as:


“*name; Social Security number; date and place of birth; mother’s maiden
name; unique government identification numbers (e.g., driver’s license,
passport, taxpayer identification); physical address; email address or
other online contact information; phone numbers; MAC address or other
unique device identifiers; IP addresses; persistent online identifiers
(e.g., unique cookies);eponymous and non-eponymous online identities;
account numbers and other account information, including account login
information; Internet browsing history; traffic statistics; application
usage data; current or historical geo-location; financial information
(e.g., account numbers, credit or debit card numbers, credit history);
shopping records; medical and health information; the fact of a disability
and any additional information about a customer’s disability; biometric
information; education information; employment information; information
relating to family members; race; religion; sexual identity or orientation;
other demographic information; and information identifying personally owned
property (e.g., license plates, device serial numbers)*."


Pertaining to broadband and at the heart of this NPRM, the *minimum* set of
elements of the CPNI in context is:


“ (1) service plan information, including type of service (e.g., cable,
fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g.,
information pertaining to data caps); (2) geo-location; (3) media access
control (MAC) addresses and other device identifiers; (4) source and
destination Internet Protocol (IP) addresses and domain name information;
and (5) traffic statistics.”


Some requirements that can be gleaned from the publication are:


* Customer personal information data must be authenticated

* Customer personal information online must be password-protected

* Customers must be given the opportunity to approve any contemplated use
or sharing of protected PII

* Customers must be informed of data breaches or unauthorized disclosure of
protected CPNI


The original Order identifying the CPNI requirements for IP-enabled
services (FCC 07-22) can be found here
<https://apps.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf>.
---------------------------------------------
-Carlton

==============================
Carlton A Samuels
Mobile: 876-818-1799
*Strategy, Planning, Governance, Assessment & Turnaround*
=============================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160612/28004c73/attachment.html>

More information about the gnso-rds-pdp-wg mailing list