Back in June, the FCC released a major Order on the Lifeline program. Lifeline, for those not familiar with it by that name, is the federal program started in the Reagan era to make sure poor people could have basic phone service by providing them with a federal subsidy. Congress enshrined Lifeline (along with subsidy programs for rural areas) in 1996 as Section 254 of the Communications Act. While most of the item dealt with a proposal to expand Lifeline to broadband, a portion of the Order dealt with the traditional FCC Lifeline program.
As a result, the wireless industry trade association, CTIA, has asked the FCC to declare that poor people applying for Lifeline have no enforceable privacy protections when they provide things like their social security number, home address, full name, date of birth, and anything else an identity thief would need to make your life miserable. Meanwhile, US Telecom Association, the trade association for landline carriers, has actually sued the FCC for the right to behave utterly irresponsibly with any information poor people turn over about themselves — including the right to sell that information to 3rd parties.
Not that the wireless carriers would ever want to do anything like that, of course! As CTIA, USTA, and all their members constantly assure us, protecting customer privacy is a number one priority. Unless, of course, they’re running some secret experiments on tracking without notifying customers that accidentally expose customer information to third parties. Oh, and it might take longer than promised to actually let you opt out once you discover it. And in our lawsuit against the FCC’s Net Neutrality rules, they explicitly cite the inability to use customer information for marketing, the inability to sell this information to third parties, and the requirement to protect this information generally as one of the biggest burdens of classifying broadband as Title II. But other than that, there is no reason to think that CTIA’s members or USTA’s members would fail to respect and protect your privacy.
So how did the Lifeline Reform Order which most people assumed was all about expanding Lifeline to broadband became the vehicle for the phone industry to tell poor people they have no privacy protections when they apply for a federal aid program? I explain below . . .
While the bulk of the Lifeline Order back in June dealt with the proposal to expand Lifeline subsidies to broadband, a bunch of it also addressed various aspects of the existing program. Some folks may recall that after all the fuss over the so-called Obamaphone and the discovery of a lot of fraud by wireless Lifeline providers, the FCC imposed a whole bunch of new obligations for carriers providing Lifeline subsidies to explain how they ascertained that applicants qualified for the program. The FCC explicitly prohibited carriers from retaining the documentation, which would include things like social security numbers and enrollment information from other federal poverty programs (like SNAP or Medicaid), because it had lots of concerns about the ability of carriers to protect such sensitive and private information.
Tracfone, a major provider of Lifeline, filed a Petition for Reconsideration on this point. They asked the FCC to let carriers simply scan the documents and store them electronically as being the easiest and most cost-effective way of demonstrating compliance. As part of this Petition, Tracfone assured the FCC it (and all other “eligible telecommunications carriers” (“ETCs)) had the capability to protect the privacy of these documents and they totally, totally would do that — but please don’t make us spend lots of money keeping and storing all this stuff on paper. Numerous other telephone companies supported Tracfone’s Petition, likewise pointing to their ability to encrypt and protect sensitive customer information.
In the Section of the June Order titled “Order on Reconsideration,” the FCC granted Tracfone’s request. In response to comments by carriers assuring the FCC they had the means to protect the privacy of customer information and the willingness to do so, the FCC took the opportunity “to remind ETCs” they have an obligation to protect the privacy of customers and the security of the data collected under two statutory provisions — 47 U.S.C. 222 (Privacy of Customer Information), and 47 U.S.C. 201(b) (prohibition on unjust and unreasonable charges or practices). And that, at a minimum, they expected to see the carriers do all the stuff they promised to do in their comments like encrypt digital information, store information behind firewalls, etc. In other words, as the FCC stated, it planned to hold carriers accountable as a matter of law for the privacy promises carriers made in the proceeding to get the rule change they wanted.
Needless to say, this did not please the phone industry! After all, it is one thing to make lots of promises about your ability to store and encrypt electronic documents securely so you can get out of keeping unhackable-but-bulkier paper files and replace them with easier-to-store-but-hackable digital files. It is another thing for the FCC to actually make those promises enforceable as a matter of law! So CTIA, the trade association of the wireless industry, petitioned the FCC to reconsider this unprecedented move to make industry representations about privacy independently enforceable as a matter of law. (BTW, for those who actually think poor people deserve privacy, Oppositions to the CTIA Petition are due October 8).
While I find CTIA’s Petition merely annoying, the U.S. Telecom Association, the trade association for incumbent wireline phone companies, took things a step further. USTA decided to challenge the FCC in court. According to USTA, the FCC trying to hold phone companies accountable for their promises about privacy as a matter of law amounts to an arbitrary and outrageous abuse of authority that the FCC totally sprung on them without warning if you (a) ignore the fact that the FCC explicitly prohibited document retention and storage out of privacy concerns; and, (b) the phone companies offered to do all this privacy stuff as a condition of getting the rule changed.
In fairness to USTA, I can see the point from their perspective. As everyone in the industry knows, when phone companies make promises and commitments about privacy or other consumer protections, the FCC is supposed to gravely nod and say some vague unenforceable boilerplate like “we note the industry has assured us in the record they can and will protect the privacy of electronically stored records, and we will not hesitate to take appropriate action if this turns out not to be the case.” Then, after the Commission meeting approving the Order, telco lobbyists and Commissioners go up to the Chairman’s office together and have a good giggle about your unenforceable promise.
But nooooooooooooo!!!!! Not only does that infernal pro-consumer power-mad regulator Chairman Tom Wheeler and his majority of pro-consumer Democrats insist on having actual enforceable rules rather than unenforceable industry promises, they actually enforce them! Indeed, a big complaint by the phone industry is that the FCC first announced the basic responsibility to protect the privacy of Lifeline information in an enforcement case, Teracomm and Yourtel America. There, the FCC (by a 3-2 vote of course) found that it violated the basic duty to protect customer information under Section 222(a) when ETCs stored social security numbers and other important information collected as part of the Lifeline program on a publicly available server searchable by Google and other commercial search engines. Additionally Terracomm and Yourtel failed to correct the problem when they became aware that third parties were accessing people’s information. The FCC reasoned that such outrageous actions rather clearly violated the plain language of Section 222(a) that carriers have a duty to protect the proprietary information of customers. Additionally, the FCC found that carriers leaving social security numbers in files searchable by Google violated basic industry standards and common sense, and thus constituted unreasonable conduct.
Needless to say, the Republicans on the Commission and the phone industry see this rather differently. So you get phrases like “regulatory overreach” and “lack of notice” thrown around, because no one has ever had to live under a law that imposes a basic duty of care like, oh, Section 5 of the Federal Trade Commission Act which the FTC and the FCC decided in a policy statement back in 2000 works like Section 201(b). But I will save demolishing the substantive arguments for another time.
For now, it’s enough to know that the phone industry has asked both the FCC and the D.C. Circuit to make it clear that poor people who apply for the Lifeline federal aid program must (a) provide their most sensitive information with regard to identity theft the phone company; (b) turn it over to carriers for digital scanning, retention and electronic storage; and, (c) the phone company has no legally enforceable obligation to take even the most basic precautions to protect the information, and has the legal right to use that information in any way, including selling it to third parties.
USTA and CTIA will no doubt say that they are not against privacy for poor people or eager to exploit the most vulnerable. They are standing up to the FCC for a principle! The principle just happens to be: “Poor people! No privacy for you!”
Stay tuned . . . .