The T-Mobile Data Breach and Your Basic Primer on CPNI – Part I: The Major Background You Need to Know for This to Make Sense.

T-Mobile announced recently that it experienced a major cybersecurity breach, exposing personal information (including credit card numbers) for at least 53 million customers and former customers. Because T-Mobile is a Title II mobile phone provider, this automatically raises the question of whether T-Mobile violated the FCC’s Customer Proprietary Network Information (CPNI) rules. These rules govern, among other things, the obligation of telecommunications service providers to protect CPNI and how to respond to a data breach when one occurs. The FCC has confirmed it is conducting an investigation into the matter.

 

It’s been a long time since we’ve had to think about CPNI, largely because former FCC Chair Ajit Pai made it abundantly clear that he thought the FCC should not enforce privacy rules. Getting the FCC to crack down on even the most egregious violations – such as selling super accurate geolocation data to bounty hunters was like pulling teeth. But back in the Wheeler days, CPNI was a big deal, with Enforcement Bureau Chief Travis LeBlanc terrorizing incumbents by actually enforcing the law with real fines and stuff (and much to the outrage of Republican Commissioners Ajit Pai and Mike O’Reilly). Given that Jessica Rosenworcel is now running the Commission, and both she and Democratic Commissioner Geoffrey Starks are both strong on consumer protection generally and privacy protection in particular, it seems like a good time to fire up the long disused CPNI neurons with a review of how CPNI works and what might or might not happen in the T-Mo investigation.

 

Before diving in, I want to stress that getting hacked and suffering a data breach is not, in and of itself, proof of a rule violation or cause for any sort of fine or punishment. You can do everything right and still get hacked. But the CPNI rules impose obligations on carriers to take suitable precautions to protect CPNI, as well as obligations on what to do when a carrier discovers a breach. If the FCC finds that T-Mobile acted negligently in its data storage practices, or failed to follow appropriate procedures, it could face a substantial fine in addition to the FCC requiring it to come up with a plan to prevent this sort of hack going forward.

 

Assuming, of course, that the breach involved CPNI at all. One of the fights during the Wheeler FCC involved what I will call the “broad” view of CPNI v. the “narrow” view of CPNI. Needless to say, I am an advocate of the “broad” view, and think that’s a proper reading of the law. But I wouldn’t be providing an accurate primer if I didn’t also cover the “narrow” view advanced by the carriers and Pai and O’Reilly.

 

Because (as usual) actually understanding what is going on and its implications requires a lot of background, I’ve broken this up into 2 parts. Part I gives the basic history and background of CPNI, and why this provides the first test of how the Biden FCC will treat CPNI enforcement. Part II will look at application of the FCC’s rules to the T-Mobile breach and what issues are likely to emerge along the way.

 

More below . . .

Continue reading

Ohio Lawsuit to Declare Google a Common Carrier Not Obviously Stupid – But No Sure Deal Either.

Yesterday, the Ohio Attorney General filed a lawsuit  asking an Ohio state court to declare Google a common carrier and/or public utility under the laws of Ohio and Ohio common law. (News release here; complaint here.) Here’s my hot take just from reading the complaint and with zero Ohio law research: It’s novel, and not obviously stupid. But it has some real obstacles to overcome.

 

I stress this because I expect most people will find this so mind boggling that they will be tempted to write this off. Don’t. It’s a novel application of traditional common carrier law, but that is how law evolves.

 

That said, I don’t think it’s a winner. But I would need to do some serious research on how Ohio common law has dealt with particular key elements of the common law, embodied in Ohio’s statute as serving the public “reasonably and indiscriminately.” Keep in mind I’m not saying that I think this is necessarily the right policy. Indeed, my colleague John Bergmayer at Public Knowledge has explained why treating digital platforms as common carriers could be a very bad idea.

 

A brief explanation of all this below . . . .

Continue reading

U.S. Actually Performed Worse During Covid Than Some Net Neutrality Countries, Not Better.

Every time the net neutrality debate flares up, the ISP industry and its anti-net neutrality allies come up with some reason why leaving unfettered gatekeeper power in the hands of the people who invented the cable video bundle is awesome rather than something that needs oversight to prevent rip offs and anticompetitive behavior. It used to be “net neutrality/Title II will kill investment.” This claim has been repeatedly disproven (you can see some Free Press explanation for why this is nonsense here, here and here). Furthermore, Covid showing the truly massive dimensions of the persistent digital divide has largely discredited “deregulation will spur investment — really!” to all but the most diehard true believers.

 

With Title II back on the table again, we are seeing the repetition of yet another talking point that sounds plausible but turns out to be totally wrong when you actually dig into the evidence. ISPs and their defenders are repeatedly claiming that the U.S. did better than other net neutrality countries (specifically, the EU27) when it came to handling the crush of Covid-19 induced traffic. Unsurprisingly, they credit the lack of regulation for this amazing response. Once again, this claim does not hold up to real scrutiny.

 

As with the investment nonsense, this is a highly complicated area and therefore subject to a lot of spin and heated arguments over what the data actually show and how to explain it. It is made even more difficult by the complete lack of any official statistics (or, as the recent BITAG report put it more politely: “Data sources vary from independent measurement systems to self-reported internal company sources.” (P 7 n.1) So I will just give a few headlines up top and dig into the details below.

 

Contrary to industry boosterism, everything was not awesome for networks during Covid. As one industry observer put it: “By ‘handling’ the volumes they mean that their networks are not crashing and shutting down. But I think there is a whole lot more to these headlines than what they are telling the public.” For reports from the actual time about U.S. problems, see here, here, and here.

 

The U.S. Performed Worse Than Some Countries With Net Neutrality Laws. Studies vary, but one important one looked at not simply the EU and U.S., but also the European Free Trade Association (EFTA) and Canada. EFTA member states have the same net neutrality mandates as the EU (sometimes referred to as the EU27, referring to the full member 27 as distinct from the EFTA). Canada has treated broadband as a telecom service for something like 2 decades now, and has similar net neutrality laws to the U.S. 2016 rules. As this study found the U.S. internet traffic as a whole suffered a 4.9% increase in congestion as compared to 7.25% for the entire EU27, but this was significantly higher than for EFTA (3.3%) or Canada (2.4%). Additionally, when surveyed a week later, EFTA and Canada had made significantly greater progress on reducing congestion than the U.S. Furthermore, the U.S. numbers were for the largest cities with the strongest networks. If you start taking out members of the EU27 who aren’t considered our economic peers, the numbers for Europe improve to be comparable with those of the U.S. So sure, there were some differences but they had nothing to do with net neutrality regulations.

 

There isn’t a lot of evidence to support the “U.S. did better than the EU” claim. While you can find some studies that support the thesis that the U.S. did “better” by some set of metrics, there are a lot of other studies that show that from a consumer perspective, E.U. and U.S. subscribers had similar experiences. See here, here, here, and here.

 

The Netflix Red Herring. The “EU asked YouTube and Netflix to downgrade traffic” factoid beloved of ISPs and their supporters is a red herring. Yes, EU regulators approached Netflix, YouTube when lockdowns began to reduce the quality of their video from high-def to standard. But this was a prophylactic precaution to head off a potential concern, not a response to congestion. Only in the U.S. — and only among industry and Libertarians — would the idea of government and all industry sectors coordinating and accepting “a joint responsibility to take steps to ensure the smooth functioning of the internet” be regarded as a sign of weakness or regulatory overreach rather than a simple statement of reasonable prudence and preparedness.

 

More below . . .

Continue reading

No, California Net Neutrality Law Did Not “Nail” Veterans — Carriers Are Using Vets as Pawns.

It’s a cliche villain scene: “Don’t force me to kill the hostages. Unless you do as I say, their blood is on your hands.” While no one would mistake policy fights for a hostage situation (usually), the same principle applies frequently when challenging industry to stop anticompetitive and anti-consumer practices. Industry will take some anti-competitive practice that provides an apparent marginal benefit to someone sympathetic and threaten that the proposed law change will make it impossible for them to do the “nice” because it stops them from doing the bad thing.

 

So it is no surprise that after California’s 2018 net neutrality law survived it’s first day in court, carriers are doing everything in their power to make it look like banning zero-rating (which the California law does to some degree, but not completely. See more detail below.) is bad for consumers. Almost immediate, for example, AT&T announced it would discontinue its anti-competitive practices of zero-rating it’s own video product and “sponsored data” from third parties. But carriers have now reached a new low by claiming that California’s net neutrality law forces them to discontinue zero rating a specific telehealth program available from the Department of Veterans Affairs. Needless to say, opponents of net neutrality have rushed to trumpet this claim without troubling themselves to investigate whether it is even true.

 

Spoiler alert: Its not true.

 

As net neutrality expert and law professor Barbara Van Schewick explained in a blog post immediately after the Politico story broke, California’s net neutrality law does not prevent carriers from zero rating telehealth programs for veterans. What the law does do, as it was designed to do, is prevent carriers from choosing a single program among a universe of competitors and anointing this one program as the only program that gets such special treatment. Or, as I explain below, carriers can choose to continue to zero rate the Veterans Affairs program in a number of ways, provided they don’t disadvantage other programs that do the same thing (here, veterans health). Mind you, carriers could also decide not to impose artificial bandwidth caps as a means of overcharging consumers and/or favoring their own affiliated content. But hey, where’s the fun and profit in that?

 

I break this out below . . . .

Continue reading

Does the Amazon “Drone Cam” Violate the FCC’s Anti-Eavesdropping Rule? And If It Does, So What?

Folks may have heard about the new Amazon prototype, the Ring Always Home Cam. Scheduled for release in early 2021, the”Drone Cam” will run a pattern of flight around your house to allow you to check on things when you are away. As you might imagine, given a history of Amazon’s Alexa recording things without permission, the announcement generated plenty of pushback among privacy advocates. But what attracted my attention was this addendum at the bottom of the Amazon blog post:

“As with other devices at this stage of development, Ring Always Home Cam has not been authorized as required by the rules of the Federal Communications Commission. Ring Always Home Cam is not, and may not be, offered for sale or lease or sold or leased, until authorization is obtained.”

 

A number of folks asked me why this device needs FCC authorization. In general, any device that emits radio-frequency radiation as part of its operation requires certification under 47 U.S.C. 302a and Part 15 of the FCC’s rules (47 C.F.R. 15.1, et seq.) In addition, devices that incorporate unlicensed spectrum capability (e.g., like Wi-Fi or Bluetooth) need certification from the FCC to show that they do not exceed the relevant power levels or rules of operation. So mystery easily solved. But this prompted me to ask the following question. “Does the proposed Amazon “Drone Cam” violate the FCC’s rule against using electronic wireless devices to record or listen to conversation without consent?

 

As I discuss below, this would (to my knowledge) be a novel use of 47 C.F.R. 15.9. It’s hardly a slam dunk, especially with an FCC that thinks it has no business enforcing privacy rules. But we have an actual privacy law on the books, and as the history of the rule shows the FCC intended it to prevent the erosion of personal privacy in the face of rapidly developing technology — just like this. If you are wondering why this hasn’t mattered until now, I will observe that — to the best of my knowledge — this is the only such device that relies exclusively on wireless technology. The rule applies to the use of wireless devices, not to all devices certified under the authority of Section 302a* (which did not exist until 1982).

 

I unpack this, and how the anti-eavesdropping rule might impact the certification or operation of home drone cams and similar wireless devices, below . . .

 

*technically, although codified at 47 USC 302a, the actual Section number in the Comms Act is Section 302. Long story not worth getting into here. But I will use 302a for consistency’s sake.

Continue reading

What (Not) to Wear on Election Day; or, Would You Rather Vote or Be a Test Case.

As we run the home stretch to Election Day 2020 (November 3! Don’t forget to vote! And vote down ticket, too! Local races are important, as are ballot question! You can also volunteer to be an election judge, or take part in voter protection projects. Make every vote count by making them count every vote!)

 

O.K., that opening line got hijacked by PSAs. Let’s start again.

 

As we get closer to election day, we have a fun decision to make: what to wear to the polls. I don’t just mean coordinating your mask with your outfit. I mean whether wearing a t-shirt that expresses some suitable sentiment depending on your politics might violate your state’s election rules. The situation is especially complicated this year as this is the Presidential election year since the Supreme Court decided MN Voters Alliance v. Mansky (2018) (opinion here). While this is not legal advice, I thought it might be helpful given the current circumstances (especially the likelihood of extremely aggressive poll watchers eager to challenge folks advertising their sympathy for the other side and a shortage of election judges due to COVID to resolve the challenges quickly) to review some basics to avoid hassle. Sure, if you prefer to be a test case rather than necessarily get to vote, you should wear that “Ruth Sent Me” or “Blue Lives Matter” t-shirt. But you should know what you are potentially getting into, first.

 

More below . . .

Continue reading

Markey’s Bet on Net Neutrality Pays Off (But Not How You Think).

The results are in on the highly contested MA senate primary race between incumbent Senator Ed Markey and 4-term Congressman Joe Kennedy. While about 15% of the vote remains to be counted, it appears that Markey has won by about 10 points. That’s an amazing margin considering that he was trailing by double digits when Kennedy first announced his primary challenge and Markey was widely seen as the next Washington insider destined for the dustbin.

 

But as just about every activist in a wide range of causes pointed out when hearing of the primary challenge, Ed Markey is not your typical Washington insider. To the contrary, Markey has shown leadership on a host of vitally important issues for decades — and long before they were popular in democratic caucus. Markey’s campaign also bucked conventional wisdom by running aggressively on his record. Markey’s Senate win in 2014 was assured when he won the democratic primary, so it is unsurprising that many people in the state outside the activist community were unaware of just how much they owe to Ed Markey. Readers here most likely know him for his telecom work, but the impressive list includes fighting for the environment before it was cool, fighting for privacy before it was cool, and fighting for accessibility rights (which, sadly, is still not as cool as it should be). Markey’s commitment on the environment goes back well before the Green New Deal, and he was huge in writing the pro-environmental provisions in the 2005 Energy Act. He was a primary drafter of the Children’s Online Privacy Protection Act of 1999. He is responsible for the closed captioning provisions and the video description provisions of the Communications Act.

 

And, of course, he was one of the earliest supporters of net neutrality, going up against members of his own party to fight the anti-net neutrality provisions of the 2006 effort to rewrite the Communications Act. You can see me gush about Markey back in 2006 here. But my appreciation for Markey goes back to the 1990s, when he was one of the few members of Congress who actually cared enough about getting the technical issues right to dig in deep on the creation of ICANN.

 

All of this paid off yesterday in Markey’s primary challenge. Markey’s early decision to back net neutrality — like his decisions on privacy and disability access — were made when no one thought any of these things would matter in an election one way or another. And I’m not going to claim that net neutrality was a deciding issue for the voters of Massachusetts. But it is part of an overall record that established Markey as a genuine progressive leader and effective fighter long before anyone considered those election advantages. In particular, net neutrality is a highly popular issue among the young online progressive activist community that press reports are saying were essential to Markey’s astonishing turn around from trailing by double digits to winning by double digits (or almost double digits depending on the final count).

Continue reading

Another Massive Hurricane, Another Chance for the FCC to Do Nothing — and Why Congress Must Pass the RESILIENT Act.

When I was growing up, I used to hear the nursery rhyme about the itsy bitsy spider climbing the waterspout, getting washed out, and then doing the exact same thing again. Whereas most people I have encountered regard this little jingle as a pean of praise to perseverance, I always thought it was a warning about what happens when you refuse to learn from past experience. Seriously spider dude, it’s a rain pipeReality does not care about your rugged determination and individualism. You need to take a lesson from the ant with the rubber tree plant and stop wasting time.

 

I bring this up as, once again, we have wildfires in California with rolling blackouts and massive hurricanes hitting the Gulf Coast — both of which have historically caused major telecom outages (although so far the infrastructure appears to be holding up). Rather than learn from these experiences over the last three years, the Pai FCC has become famous for it’s three-part Republican harmony version of the Itsy Bitsy Spider (telecom version) while the Democratic Commissioners are relegated to feeling the Cassandrefreude. So I will take this opportunity to plug the “Reenforcing and Evaluating Service Integrity, Local Infrastructure, and Emergency Notification for Today’s Networks Act” (aka the RESILIENT Act (section by section by section analysis here, press release here).

 

Briefly, Congress ought to pass the RESILIENT Act as quickly as possible. Neither the FCC nor state governments have taken the needed steps to update our regulations governing repair of physical networks to reflect modern network construction. The biggest change — that communications networks are no longer self-powered — requires that the FCC and the Department of Energy (DOE) (through the Federal Energy Regulatory Commission (FERC)) to work together to require power companies and telecom companies to coordinate. That takes federal legislation. But we also need to recognize that we can’t require every network to maintain reliability on its own. We need networks to use the redundancy that comes from having competing networks to provide the reliability we used to have from a highly regulated monopoly provider.

 

I explain more below . . .

Continue reading

We Can #ConnectTribes to Broadband, and YOU Can Help!

One of the unusual plot twists of this season on Spectrum Wars has been my agreeing more and more with FCC Chairman Ajit Pai. For those familiar with Babylon 5, this is rather like how G’Kar and Londo started working together by the end of Season 4 despite attacking each other’s home planets at various points in Seasons 1, 2 & 3. But as I like to say: “Always prepare for the best possible result.” Mind you, this doesn’t change all the things on which I vociferously oppose the current FCC. But I’m hoping to extend the spectrum streak into August.

 

Which brings me to one of the most important developments for connectivity for Native American Tribes, Alaskan Native villages and Native Hawaiian communities: the 2.5 GHz Rural Tribal Priority Window (TPW). This gives federally recognized Tribes on rural Tribal lands the opportunity to apply for free spectrum licenses in one of bands best suited for 5G. Tribes that receive these licenses will have the capability to build out their own 5G networks, bringing real, reliable and affordable broadband to communities that have the worst broadband access in the United States. Unfortunately, the application window closes on August 3. Because of the horrific impact of COVID-19 on Native American communities (rural Native American Communities have suffered worse economic and social impacts of COVID-19 than any other community in the United States, aggravated by the severe lack of broadband access), hundreds of eligible Tribes will not be able to meet the August 3 deadline to apply (less than 20% of the approximately 515 eligible federally recognized tribes on rural Tribal lands are expected to be able to apply under the current deadline, based on an estimate by MuralNet.org).

 

Tribal organizations such as National Congress of American Indians, The Southern California Chairmen’s Tribal Association, Native Public Media, and AMERIND Risk Management (a Tribal owned corporation chartered under federal law) are working with my employer, Public Knowledge, to request the FCC to extend the window until February 3, 2021. As I explain below, this will benefit hundreds of Tribes and their communities, while harming no one. But best of all, you can help! Here’s how:

 

Tell your member of Congress to tell the FCC to extend the 2.5 GHz Tribal Priority Window. You can do that by going to the Public Knowledge #ConnectTribes action tool here.

 

Tell the FCC to extend the 2.5 GHz TPW. The Docket Number for this proceeding is 18-120. Simply head over to the FCC Express Comment page and tell the FCC in your own words that Tribes deserve a real chance to apply for wireless broadband licenses on their own sovereign Tribal lands so they can provide Tribal households and businesses with the broadband they need and deserve.

 

Participate in the #ConnectTribes Day of Action on Thursday, JULY 23 (TOMORROW!). One of the biggest problems is that no one outside of a very small set of telecom wonks and Native activists knows about this situation and why the FCC needs to extend the TPW until February 3. Tweet or otherwise use social media with the hashtag #ConnectTribes to raise the profile of this issue. We are planning a “Day of Action” this Thursday, July 23 to get this trending — but please keep using the hashtag to support Tribal connectivity until August 3.

 

More below . . .

Continue reading