Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

What was that P word? Ah. Privacy. Yes, we'll think about privacy, says FCC mulling cellphone location data overhaul

Commissioners still doing their best to ignore bounty hunter stalking scandal

Kieren McCarthy Fri 15 Mar 2019  //  20:57 UTC

Analysis America's comms regulator has finally pinky-promised to at least consider people's privacy when it looks into how cellphone location data can be made more accurate.

On Friday, during a monthly meeting of commissioners, the FCC belatedly confirmed it would weigh up privacy alongside phone tracking, in a "notice of proposed rulemaking."

The critical topic was added following an intervention from new commissioner Geoffrey Sparks, after a campaign by privacy advocates who were stunned to find not a single mention of the word "privacy" in a 32-page outline document.

Remember how you said it was cool if your mobe network sold your name, number and location?

READ MORE

The omission is particularly galling given a series of high-profile cases this past year where mobile network operators were found to be providing location data on individuals to unknown third parties for a fee, despite repeatedly promising not to and despite it being against the rules.

Bounty hunters, private dicks, and similar bods were using a loophole in the system to pay a few hundred dollars, or even posing as cops to skip any charges, to get timely location data on specific cellphone numbers – typically people who had skipped bail, but it could be anyone – despite the fact that such data is supposed to strongly protected given its enormous potential for abuse.

That system was able to flourish thanks to the FCC failing in both its rulemaking and subsequent enforcement. But rather than address the scandal, all five FCC commissioners continue to ignore the topic, making only broad references to privacy and claiming to have no knowledge of the underlying issues beyond "press reports" that they have seen.

Groundhog Day

What makes the omission of privacy concerns all the more egregious is the fact that last time the FCC strengthened location data requirements, the exact same concerns were raised and resulted in rules that are currently in place – which mobile companies and/or third-parties are skirting for profit.

It would be relatively easy for the FCC to closely define what is allowed to be done with the more accurate location data it is arguing for: it can specifically designate that data and put rules around it that would, for example, require mobile operators to only grant access to approved providers. It could build stronger enforcement mechanisms to check on, audit, and punish any third parties that break the rules.

It could prevent third parties from reselling that data onto others – the loophole that allowed complete strangers to gain access to another stranger's precise location for cash. But until this morning, the FCC had consciously excluded the issue of privacy in developing the rules.

Even now, the FCC has made no official mention of the topic. The wording surrounding the topic has not been released and in the official announcement of the notice of proposed rulemaking, the word "privacy" does not appear. Nevertheless, privacy advocates cautiously welcomed the addition of the topic.

At the heart of the issue is so-called "Enhanced 911" or E911 location data; geolocation data that is supposed to be used only for emergencies such as when someone calls the emergency services and the police/firemen/paramedics need to know where the caller is located. Accurate location can mean the difference between life and death.

Currently, mobile operators are required to provide location data accurate to within a few feet but that does not include "z-axis" data i.e. how high up someone is. That can be critical in tall buildings to ascertain on which floor someone is. The new proposal will consider improving the precision of that location data to within a few feet on the z-axis.

Don't mention the bounty hunters

All of which is laudable and will almost certainly be life-saving given that over 80 per cent of emergency calls are now made through mobile phones rather than landlines.

But at the same time, the measure approved on Friday ignores the fact that the current, less accurate system has been abused and remains unfixed. Not only that but the FCC is actively ignoring its failings and its representatives are refusing to speak about the bounty hunter scandal while pushing forward on an idea that would make any breach of the system even more problematic.

In approving the measure, several commissioners mention the privacy issue in general terms while avoiding mention of the actual recorded abuses or their root causes.

Commissioner Michael O'Reilly said: "I will restate my concern that location accuracy information should not be used in a way that would infringe on the rights of American citizens. This location accuracy proceeding is about providing first responders with life-saving information, not a vehicle to aggregate location information that can be provided to others."

Commissioner Jessica Rosenworcel argued repeatedly for more accurate location data that is currently proposed and also avoided talking about third-party access making a single reference to privacy in an otherwise lengthy statement.

"It also asks important questions about privacy," she said, before continuing: "But on the most fundamental level, it is organized around standards that unquestionably fall short of what first responders require…"

Only Commissioner Sparks got close to acknowledging the elephant in the room. "My other concern had to do with privacy and security… I am glad it asks those important questions about the appropriate treatment of similarly situated access data and whether rules like those previously adopted should apply here. We need to build those protections and make sure sensitive location data is not miused or abused like we've been reading about on the news."

Neither FCC chairman Ajit Pai nor Commissioner Brendan Carr made any mention of either the bounty hunter scandal nor the issue of privacy.

More dysfunction

In other dysfunctional news coming out of the FCC, Commissioner Sparks called for the recall of a broadband report that chair Pai has been heavily promoting recently as evidence that his decision to revoke net neutrality rules had led to greater broadband investment and provision.

Tech industry titans suddenly love internet privacy rules

READ MORE

"It needs to be taken down and taken back to the chairman," Sparks said when asked about reports that one company – Barrier Communications – had provided figures showing that it was providing fast internet access to 60 million people that it isn't. Sparks confirmed the FCC has opened an investigation into the issue.

All the commissioners also went out of their way to avoid talking about the robocalls they have been receiving from the television show Last Week Tonight as a way of highlighting the FCC's continued inaction against what is its number one public complaint.

Only Sparks confirmed that he had received the calls – which included bagpipe music – and he also said that he felt the robocalls were legal as a First Amendment petition to government.

Rosenworcel again made plain her anger at the three majority Republican commissioners for failing to do more and outlined a few clear actions they could be taking. And those commissioners – Carr and O'Reilly – insisted on maintaining the fiction that the FCC is actively fighting the situation claiming, Trump-like, that chair Pai was doing more to combat robocalls than anyone has ever done. He isn't. ®
Send us news
26 Comments

US legislators propose American Privacy Rights Act - and it looks quite good

After two decades of calls for national protections, something may actually happen

Academics probe Apple's privacy settings and get lost and confused

Just disabling Siri requires visits to five submenus

FCC to reinstate net neutrality in the US until someone decides to scrap it again

Pendulum returns to the Obama era – don't be surprised if it swings right back

US broadband internet: Now with mandatory 'nutrition' labels

ISPs are just going to have to swallow it

Google location tracking deal could be derailed by politics

$62 million settlement plan challenged over payments to progressive nonprofits

96% of US hospital websites share visitor info with Meta, Google, data brokers

Could have been worse – last time researchers checked it was 98.6%

Feds finally decide to do something about years-old SS7 spy holes in phone networks

And Diameter, too, for good measure

Reform of USA's Section 702 spying rule may make it to a vote this week

Tool that lets spooks observe Americans appears to have been renewed for another year

Google will delete data collected from 'private' browsing

Declares victory in settlement of class action lawsuit, but individual claims remain possible

US House approves FISA renewal – warrantless surveillance and all

PLUS: Chinese chipmaker Nexperia attacked; A Microsoft-signed backdoor; CISA starts scanning your malware; and more

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Lawsuit claims Meta hobbled Facebook Watch to help Netflix

Advertiser antitrust lawsuit says claimed deal with Netflix is anticompetitive