PROPOSED FCC PRIVACY RULES MAY ADD LIABILITY FOR ERRORS IN LAWFUL SURVEILLANCE
If an ISP compromises subscriber privacy or cyber security when assisting a law enforcement investigation it may incur liability under the Electronic Communications Privacy Act (ECPA). That same type of mistake may soon trigger fines from an additional source: the Federal Communications Commission.
Summary of the NPRM
On April 1st the FCC released a notice of proposed rulemaking (NPRM) to set privacy and security standards for Internet service providers, now called broadband Internet access service (“BIAS”) providers. The proposed standards are modeled on the Commission’s customer proprietary network information (CPNI) rules, which already govern telephone companies and wireless carriers.
If the proposed rules are adopted, BIAS providers would be required to give customers notice of their privacy rights. Those rights would include the power to give prior consent before personal information is used for marketing purposes. In addition, BIAS providers would be required to observe reasonable information security measures and notify affected customers in the event of a security breach.
The scope of proposed privacy and security protection would cover many elements of subscriber information. To begin with, the rules would safeguard a BIAS customer’s service plan information. That category includes the type of service (e.g. cable, fiber, or mobile), service tier (e.g. broadband speed), and pricing. The rules would also protect the customer’s geolocation, media access control (MAC) addresses and other device identifiers, source and destination IP addresses (otherwise known as IP logs), domain name information, traffic statistics, and possibly communications content (i.e. everything a broadband user may see or hear online).
NPRM Protection for BIAS Content
The last item in the NPRM scope of coverage – broadband content – deserves a closer look. The FCC recognizes that the privacy of broadband content is already strictly protected by ECPA. Understandably, the NPRM requested public comment on whether additional content protection is needed.
If broadband content is protected by both ECPA and the FCC, BIAS providers would face greater liability for any privacy infringements or security breaches committed when assisting a law enforcement investigation. For example, let’s say the FBI serves a BIAS provider with a warrant compelling the disclosure of all emails sent or received by a certain suspect over the past two months using the BIAS-hosted email service. Let’s further assume the BIAS provider mistakenly delivers three months of emails instead of two. The over-disclosure would subject the service provider to potential monetary penalties under ECPA. If the FCC adopts the proposed privacy rules the erring BIAS provider could also receive an FCC notice of apparent liability assessing more fines.
Alternatively, a criminal court order may require a BIAS provider to facilitate a real-time intercept. This type of monitoring would typically let the authorized law enforcement agency see and hear all content produced on the suspect’s desktop computer, laptop, or smart phone screen for a period of thirty days. But what if the provider mistakenly assists the investigation for more than thirty days? Once again, the entity would risk ECPA fines, and under the proposed rules, FCC fines.
NPRM Proposal for BIAS Data Retention
The NPRM also requested comment on whether and how the FCC should impose standards for data retention or destruction. Service providers retain data for business purposes over different lengths of time. However, the longer data is retained the longer it may be vulnerable to unauthorized access.
Section 42.6 of the FCC’s rules, known as the “18-month rule,” requires telephone companies and wireless carriers to save billing records for 18 months, in case they are needed for a law enforcement investigation. Will the Commission require BIAS providers to save their subscriber IP logs for the same length of time? If so, the providers may be subject to FCC liability, not just ECPA liability, if they fail to respond adequately to a valid law enforcement request for the logs.
Implications for BIAS Providers
In light of the FCC’s NPRM on privacy and security BIAS providers should reassess their law enforcement assistance programs. A provider should have the right technical capabilities and protocols to protect privacy and security during a law enforcement investigation. Otherwise the potential liability may soon be greater than ever.