Carriers Oppose Public Knowledge Petition to Protect Anonymized Call Data

Congress intended its CPNI rules to protect information acquired through the customer-carrier relationship, with particular protections for information that’s “personal, sensitive, and individually identifiable,” said CTIA. Nothing in the statute suggests that customer information “stripped of individually identifiable characteristics” is subject to the same limitations, CTIA said. It urged the FCC to dismiss the petition, filed by PK, Free Press, Common Cause and others, because it offers “only broad, vague, and speculative claims” and fails to provide “any facts or legal arguments to warrant a declaratory ruling.” Existing FCC CPNI rules are “sufficient to address any situation in which a carrier unlawfully makes CPNI available to a third party,” said CTIA.

Verizon and Verizon Wireless called the request “misplaced.” It “makes sense” that anonymized customer data wouldn’t fall under the protections afforded by Section 222, they said, “given the less sensitive nature of records that do not contain customer identities.” The request by Public Knowledge and others, which argues it might be possible to “reverse engineer” the customer’s identity “in some unspecified way,” is far too broad, Verizon and Verizon Wireless said. It “glosses over the fact that anonymizing information helps to protect customer privacy by removing individual identities,” they said. “It also fails to recognize that context is important, and that risks present when information is disclosed publicly are different than when information is kept private and used by a company or its business partners subject to safeguards to protect the anonymized information. And it ignores the fact that the Federal Trade Commission has recommended specific reasonable measures to minimize privacy risks with anonymized data."

Petitioners’ understanding of Section 222 is “flawed,” said Sprint (http://bit.ly/1f9Eu1V). They offer the “unprecedented concept” that “CPNI will be considered individually identifiable unless it is aggregate,” said the carrier. That’s a “new interpretation” that “substantially expands the type of data that would be deemed protected CPNI,” and would lead to “absurd results,” Sprint said: Under that view, a record related to a single phone call, unassociated with any other identifiable information, would still be deemed individually identifiable because it’s not included in a “collective data” set. “The statute cannot be interpreted to lead to the nonsensical result that a record is deemed ‘individually identifiable’ even where it is not associated with any other information that could conceivably disclose the identity of any particular person,” Sprint said.

CenturyLink said it “understands Public Knowledge’s concerns” about potentially improper user of anonymous call detail, but “its argument that such information is individually-identifiable CPNI is based on incorrect assumptions and logic.” While the “potential for re-association may inhere in the information,” that fact “does not render the information individually-identifiable CPNI unless and until such reassociation takes place,” CenturyLink said. Carriers are required to protect call detail even when “divorced from calling party or subscriber information,” it said. The commission “could emphasize that it expects heightened protection of such information,” and “could stress that such information should not be casually disseminated to third parties, be they government or private,” the telco said.

"The risk of re-identification of individuals from anonymized data, while not non-existent, is significantly lower than indicated by the petition,” said the Information Technology and Innovation Foundation (http://bit.ly/1f9FQJT). The commission should hesitate before changing its treatment of anonymized data, and “the economic and social value of innovations in data analytics” should encourage the agency to promote data collection and sharing where appropriate safeguards exist, ITIF said. The Technology Policy Institute also encouraged the commission to disabuse itself of the notion that data cannot be anonymized. “The proper method of anonymizing data is a legitimate topic for discussion, but the notion that anonymization is not possible or that any reasonably competent computer science graduate student can easily re-identify anonymized data is not correct,” said TPI (http://bit.ly/1dRRUkx). It said “the petition contains no examples of CPNI having been successfully re-identified or misused."

Credo Mobile, a San Francisco mobile virtual network operator, supported the petition (http://bit.ly/1dRTWB5). Credo said it was the “first telecom carrier to release a transparency report” after NSA’s collection “dragnet” was made public. The carrier “would never sell customer phone data to the CIA,” but customers are “less likely to believe us when we say that we will protect their information,” it said. “We must compete against dominant carriers whose revenues are enhanced by selling customer information,” Credo said, calling it “a race to the bottom that is won by those who do not respect the privacy of customer information."

Access, an “international human rights organization,” said it was “alarmed” by revelations that the CIA is paying AT&T millions of dollars a year for phone records, and supports the petition (http://bit.ly/1dRTIdd). The Open Media Information Companies Initiative, with members including investors, mutual fund companies and foundations, said the sale of customer data by telecom carriers to government agencies is a “particular concern” for investors (http://bit.ly/1dRT9jD). The coalition supported the petition and urged the commission to declare that carriers and telcos cannot sell non-aggregate call records without customers’ consent.