NB: This originally appeared as a blog post on the site of my employer, Public Knowledge.
Over the last three months, Motherboard’s Joseph Cox has produced an excellent series of articles on how the major mobile carriers have sold sensitive geolocation data to bounty hunters and others, including highly precise information designed for use with “Enhance 911” (E911). As we pointed out last month when this news came to light, turning over this E911 data (called assisted GPS or A-GPS), exposing E911 data to third parties — whether by accident or intentionally, or using it in any way except for 911 or other purposes required by law violates the rules the Federal Communications Commission adopted in 2015 to protect E911 data.
Just last week, Motherboard ran a new story on how stalkers, bill collectors, and anyone else who wants highly precise real-time geolocation consumer data from carriers can usually scam it out of them by pretending to be police officers. Carriers have been required to take precautions against this kind of “pretexting” since 2007. Nevertheless, according to people interviewed in the article, this tactic of pretending to be a police officer is extremely common and ridiculously easy because, according to one source, “Telcos have been very stupid about it. They have not done due diligence.”
So you would think, with the FCC scheduled to vote this Friday on a mandate to make E911 geolocation even more precise, the FCC would (a) remind carriers that this information is super sensitive and subject to protections above and beyond the FCC’s usual privacy rules for phone information (called “customer proprietary network information,” or “CPNI”); (b) make it clear that the new information required will be covered by the rules adopted in the 2015 E911 Order; and (c) maybe even, in light of these ongoing revelations that carriers do not seem to be taking their privacy obligations seriously, solicit comment on how to improve privacy protections to prevent these kinds of problems from occurring in the future. But of course, as the phrase “you would think” indicates, the FCC’s draft Further Notice of Proposed Rulemaking (FNPRM) does none of these things. The draft doesn’t even mention privacy once.
I explain why this has actual and potentially really bad implications for privacy below.
Why Does This Matter If the Law Already Protects E911 Info?
Let me set aside for a moment that the failure of the FNPRM to even mention privacy, at a time when FCC Chairman Ajit Pai’s response to the ongoing revelations of carriers mishandling of sensitive location data has been underwhelming (especially in contrast to, for example, his fulminations about robocalls or his nicely politically timed condemnation of mobile carriers’ slow response to Hurricane Michael). This matters for real legal reasons. But to explain that, I’m going to have to go all lawyer-wonk for a few paragraphs.
Generally, information collected by telephone carriers from customers as part of the “carrier-customer relationship” are protected by the CPNI rules (found at 47 U.S.C. 222 and 47 C.F.R. Subpart U). That includes the information collected for E911 generally. The problem is, these CPNI rules don’t prevent people who are not the carrier from getting access to the GPS and using this information, so long as these folks have (or appear or claim to have) subscriber permission. That’s why every application you download on your phone can access your location information, and there’s virtually no way to stop this.
The FCC mandated that cell phones include GPS so that 911 dispatchers can find callers in trouble and send help, but the FCC didn’t do anything to protect the privacy of that information beyond the standard CPNI rules. This means that every application now taps into your GPS. Since you downloaded the application (and clicked the user agreement), you have agreed to allow the app to get the information the FCC mandated be there for 911 purposes. In hindsight this was a fairly substantial oversight by the FCC at the time. As a result, our cell phones have become tracking devices with no meaningful way for consumers to opt out.
When the FCC recognized that GPS did not provide precise enough information to ensure that first responders could actually find 911 callers in time, it did not repeat the same mistake. The 2014 FNPRM to establish the E911 rules explicitly asked whether we needed extra special privacy rules, and solicited comment on privacy issues. This allowed PK and other privacy advocates to raise privacy concerns in the proceeding.
In 2015, the telcos and first responders got together and came up with a plan for how to get acceptable levels of accuracy called “the road map.” This required creation of something called the “National Emergency Address Database,” or “NEAD,” which would store all kinds of information to make it possible to know your precise location. The FCC accepted the road map, subject to the carrier/first responder group developing an implementation plan to protect the privacy of the information even more than usually required by CPNI rules. (The carriers/first responders submitted the final product in 2017, and the FCC approved it.) That included a requirement for carriers to prevent anyone from accessing the information in NEAD “unless required by law.”
Although carriers can let applications access GPS, they are not allowed to permit applications (or anything else) to access the NEAD information, which contains your exact location. With the proposed FNPRM the FCC will vote on this Friday, the agency proposes a new category of information, called “Z-axis,” without saying which set of privacy rules governs Z-axis information.
Do You All Just Make These Names Up To Confuse People? What Is “Z-axis Information?”
One of the major shortcomings with GPS as location information is that it doesn’t tell you how high up (or underground) you are. That’s a problem if you are in a building. In the old wireline days, all the addresses were hardwired into the system. So if you called from the 15th floor of the Daily Planet building in Metropolis, 911 could direct first responders and/or the Justice League (assuming the problem is supervillain related) to precisely where you were. With GPS, you were lucky to be able to get the right skyscraper in a block of skyscrapers right next to each other. With NEAD and A-GPS, you can get the right building pretty reliably. But that still creates problems in most major urban areas.
“Z-axis” refers to the height off the ground, which roughly corresponds to the floor of a building. Imagine a map like a graph with vertical and horizontal lines for longitude and latitude. These lines give you the coordinates of the location. The Z-axis is the imaginary line going up from the map to the ceiling. Finding the right spot on the Z-axis gives you the height of the originating call. Ideally, the combined information gives you the exact location so you can find someone who might be incapacitated in time.
If the Z-axis information is considered part of the general NEAD information, then it’s covered by the extra protections adopted for NEAD in 2015. But the FNPRM doesn’t say anything about this one way or the other. That is the problem. Because the FNPRM doesn’t even mention the subject, we have no idea whether the proposed new mandate for better Z-axis information is covered by the 2015 heightened rules that prohibit carriers from giving access to the information to anyone, or only by the default rules that prohibit the carrier from selling the information without consent, but allow the carrier to provide access to the information collected. This makes a huge difference for privacy.
To make matters worse, because the FCC does not ask about this anywhere in the draft, it is virtually impossible for anyone to bring the issue up in the proceeding without the FCC issuing a new Public Notice. Administrative law says that the agency has to provide notice of what it will or won’t do. Now like a good lawyer, I can certainly make arguments after the fact as to why the FCC should “clarify” that it always regarded Z-axis information as covered by the NEAD rules, or that the question is a “logical outgrowth” of the FNPRM. But it would make everyone’s life infinitely easier if the FCC actually did its job and either (a) simply stated in the FNPRM that Z-axis information is covered by the 2015 NEAD “no access” rule; or, (b) solicited comment on privacy concerns so parties can address it in the proceeding.
So What Happens Now?
The Commissioners have until the vote on Friday to request edits to the language of the FNPRM, and put something in there that either clarifies what rules apply to the mandate for detailed Z-axis information or solicits comment on the issue. Fortunately, both Democratic Commissioners Geoffrey Starks and Jessica Rosenworcel have called on the Chairman to be much more vigorous about protecting consumer privacy, so hopefully they will request changes, and hopefully Chairman Pai will accommodate them. It’s also worth noting that Republican Commissioner Mike O’Reilly — in his concurring statement for the 2014 FNPRM — applauded the Commission in 2014 for seeking comment on privacy concerns, although his emphasis was on the potential for government surveillance. Nevertheless, he may prove supportive of a request for language on privacy.
If nothing in the wording changes and the FCC votes to approve the FNPRM, then it becomes much harder for you, the consumer, to prevent other entities — including bounty hunters and stalkers pretending to be cops — from knowing exactly where you are at any given time. If the FCC makes a mistake here and ignores these privacy concerns, this action will go far beyond forcing consumers to contend with annoying Facebook ads. The FCC should know by now that it must take consumer privacy seriously in this FNPRM. Now we’re calling for the agency to actually do it.
Stay tuned . . .
UPDATE: Good news! Thanks to advocacy by Commissioner Starks, the FNPRM adopted at the vote on Friday, March 15 included a section on privacy issues.