Carriers are already subject to privacy rules on their networks, and some carriers use encryption technology that keeps user information from being stored on mobile phone software. But they have criticized the proposal as heavy-handed regulation. The FCC, they said, shouldn’t extend its reach to mobile devices.
The agency’s three sitting members are scheduled to vote on the proposal at a June 27 meeting.
“Millions of wireless consumers must have confidence that personal information about calls will remain secure even if that information is stored on a mobile device,” said the acting FCC chairwoman, Mignon Clyburn.
“This ruling makes clear that wireless carriers who direct or cause information to be stored in this way have a responsibility to provide safeguards, and I hope my colleagues will join me in supporting this effort.”
The FCC began to explore rules on smartphone privacy after December 2011, when a security analyst discovered that software from the firm Carrier IQ was collecting data on millions of smartphones. AT&T, Sprint and others said they used the software to measure network performance. So, for example, if the monitoring showed that calls were often dropped in a certain location, technicians would know to look there for a problem.
But Carrier IQ also collected other information from call logs, users’ keystrokes and Global Positioning System devices without disclosing that to consumers.
The software company’s activities aren’t regulated by the FCC. But the agency had privacy rules in place for carriers, and consumer groups wanted federal officials to clarify that those rules extended to phone data on devices.
“The carriers don’t have control of everything on a device, but if they deliberately add some functionality like Carrier IQ to help with their own diagnostics, imposing reasonable security obligations on them seems appropriate,” said Justin Brookman, a director of consumer privacy at the Center for Democracy and Technology.
Carriers have warned that the phone privacy rules should not extend to Internet data collected over smartphones.
Federal law doesn’t “provide the FCC with general authority to regulate privacy practices; it only governs defined information that is acquired in a specific manner by telecommunications carriers,” CTIA — the Wireless Association, an industry trade group, said in comments filed in June 2012.