Martin Set to Circulate Rules for Guarding Privacy

Martin said after last week’s FCC meeting that he hoped to circulate a CPNI order this month. Carriers have been lobbying the agency for rules that can be complied with easily and won’t inflame customers.

“The parties all seem to think that [the order] will have a mandatory password provision -- every time you have an interaction with your telephone company you must give them your password,” a source said: “If you don’t have a password you can’t do… some things or all things.” Carriers can “fixate on one word of a conversation… They spend the next 3 months explaining and filing… about why passwords aren’t a good idea,” the source said: “And then it may not even be in there.”

Carriers mostly had responded to questions from FCC staff on the need for more secure passwords and what carriers will have to protect nonsensitive information, an FCC source said. The FCC has scrutinized the Hewlett-Packard pretexting case for insight into what it may have to do to protect subscriber privacy, the source said. HP has acknowledged investigating its own directors in a search for whoever leaked material on the company’s long-range strategic plans. The case showed how investigators defeated carrier defenses.

“One of the things in the HP pretexting record is that a director’s records were obtained through the ability to go in and reset somebody’s passwords on the Internet,” the industry source said. “One of the directors had an online access account. This investigator was able to corrupt that and reset the password and then get access themselves. They didn’t even have to go through customer care.” As a result, the source said, FCC aides have been asking whether everyone should have to reset their passwords.

The FCC also is examining “very difficult line-drawing issues,” the source said. Carriers want the FCC to balance customer convenience and customers’ legitimate interest in accessing data versus hurdles FCC rules will impose, he said: “There should be distinctions between somebody calling to find out how many minutes are remaining in their bucket versus who are the last 10 calls that were made on an account.”

A regulatory lawyer said the proceeding’s record contains little support for tighter password rules. “It’s not clear to me that’s consumer-friendly,” the attorney said. “Consumers want the privacy and the protections but not the extra hassles, as the carriers have been arguing.”

Pretexting will reemerge as an issue on the Hill. In March the House Commerce Committee passed a pretexting measure (HR-4943) that would have boosted phone company responsibility for safeguarding consumer data, but Speaker Hastert (R-Ill.) jerked it off the calendar without explanation. Instead, the Senate moved a Judiciary bill (HR-4709) as one of its last acts before final adjournment (CD Dec 9 Special Bulletin).

But the Judiciary bill covers only pretexting, imposing prison penalties of up to 10 years. The Commerce bills, which consumer and legal groups backed, focused on phone companies’ responsibility, tightening provisions that require data to be protected. House Commerce Chmn. Barton (R-Tex.) tried to get his bill on the floor in Oct. after a high-profile 2-day hearing with Hewlett-Packard officials who used pretexting to track the source of leaked corporate information.

Democrats say House leaders spurned the bill because it could open the White House to vulnerability on its warrantless surveillance program, Hill sources said. Communications law requires phone companies to guard consumer data, a point House Telecom Subcommittee Chmn.-designate Markey (D-Mass.) made in a May letter to FCC Chmn. Martin. Markey asked Martin how he planned to investigate phone companies’ “apparent” breach of consumer privacy under communications law. Martin said that the Presidential program’s classified nature moved it beyond FCC’s purview. There’s been no followup since, committee sources said.