Not sure if anyone is reading posts anymore, but this was posted on slashdot. We already knew that government agencies have been buying our data from data brokers, but according to this article, some law enforcement agencies are buying things like phone records that are most likely obtained illegally through pretexting or other means.
In response to the FCC’s inquiries regarding passwords, we believe passwords can be an effective deterrent against unauthorized access to a user’s phone records. While passwords would only be effective against pretexting, the CTIA has stated that “overwhelmingly, the vast majority of cell phone records are being fraudulently obtained through the use of ‘pretexting.’” Because the CTIA itself acknowledges that pretexting is a rampant problem steps should be taken to attempt to curb pretexting. One such method is the requirement of a special password from users in order to access their records. Because there have been many comments from expert sources including EPIC, lawmakers, and the CTIA we will not attempt to provide a detailed proposal for a solution. Rather we would like to comment from the perspective of the consumer.
We acknowledge that companies such as Verizon Wireless, Cingular, Sprint Nextel, and T-Mobile are all more qualified to present information on their internal cost of implementing more rigorous password policies. We also recognize that as technology evolves the requirements on passwords as well as the threat of pretext will change, and as such any solution must be made flexible enough to allow easy adaptability. It is possible that a new security technology will make the use of passwords obsolete. Despite this fact, we believe the importance of passwords can be easily overlooked.
Many consumers do not fully understand the necessary balance between convenience and security. It is likely that there are a significant number of people who, when asked, will be wary of a complicated password system which places an added burden on them. Extra time is required to enter the password as well as to memorize the password. However, consumers will also usually state they want companies to protect their personal information. Unfortunately, present technology limits practical implementation that allows high security as well as high convenience. A significant number of consumers will undoubtedly find any relatively secure password system burdensome. Their frustration will often be voiced to phone carriers. In addition to an extra cost inflicted on these carriers to implement a more complicated password system, phone companies also face the added customer service issues related to disgruntled customers. If one company lessens their security to increase convenience they might receive a competitive advantage over companies more concerned about security as the number of breaches will remain relatively small while added convenience will satisfy a larger pool of customers. However, it is not clear that the cost to the small group of customers whose personal information is breached does not outweigh the added inconvenience to the many.
Following the logic above, it is clear that both companies and many consumers have an incentive to speak out against additional rules regarding passwords even if it is in the best interest of everyone to make them required. However, we urge the FCC to consider that the added cost to individual parties might be necessary for security despite resistance. We acknowledge the argument of the CTIA that the most effective method to prevent pretexting might be to target the pretexters themselves. However, this solution does not preclude also creating additional rules regarding passwords.
While we are not calling for the mandatory use of consumer-set passwords we do believe service providers should require safer password practices as the default option even if they also provide the customer an option to opt-out. For example, individual companies should be allowed to allow their customers to opt out of the company’s password protection policies only after they have been informed of the importance of a password and the risks involved with opting out. Lost and forgotten passwords should only be revealed or reset if a customer writes a non-electronic letter or physically enters a store with customer service facilities for the phone service. This process would be inconvenient but not unreasonable.
Whatever solution is adapted it is clear that pretexting is a significant problem that must be addressed by the FCC. There are many instances where the government requires minor inconveniences in order to ensure people’s safety. For example everyone is required to wear a seatbelt in a car regardless of the fact that the vast majority of the time a person is safe in the car without a seat belt. Airline security also illustrates the need for minor inconveniences to ensure security. Password requirements could be viewed in the same way.
The version in full draft has an earlier (outline-only) version of our section. Here is the newest version (including more humble phrasing)
———————–
We respectfully suggest that the Commission encourage telecommunications carriers to adopt a public data retention policy that limits storage of CPNI only as long as operationally necessary. An effective data retention policy will limit both the extent and severity of attacks in the event that the system has been breached. This will not, by itself, solve the consumer privacy problem. We also respectfully suggest complementing this policy with a two-tiered data deletion model.
In the first stage, we respectfully suggest that the Commission encourage carriers should strip all personally identifiable information from CPNI records after the legally required 18 month duration. [CITE 47 CFR 42.6] This includes, but is not limited to: all 7-digit phone numbers called and received; subscriber name, social security number, and contact information; and services purchased such as call forwarding or voice mail.
Stripping CPNI in the first stage protects consumers against extensive pretext, insider attacks and cyber attacks for information that carriers no longer need. We understand that carriers are concerned about long-term dispute resolution, but this rare occurrence should not be at the expense of privacy interest of their consumers.
In the second stage, we respectfully suggest that the Commission encourage carriers to purge individual call information by aggregating and then deleting the remaining record data. As a general guideline, the second stage could begin after 36 months. This includes, but is not limited to: all phone number area codes; individual call times and durations; and physical location of calls if the service is wireless.
The second stage safeguards consumers against sophisticated call analysis attacks in which customer identity could eventually be deduced. We understand that carriers may be maintaining this data for statistical purposes. The aggregate information will still allow carriers to collect general trends and statistics about their network, but should make it impossible to trace sensitive call information back to individual consumers.
We also respectfully suggest that the Commission encourage carriers to publicly disclose their data retention policies. This will allow consumers to make more educated decisions about their privacy risks when choosing an appropriate provider. Public disclosure would enable market forces to pressure carriers into adopting privacy-friendly retention policies in an effort to attract new customers. Note that a public retention policy would not assist wrongdoers by contributing to a “roadmap” for future attack.
The cost associated with data deletion is low for carriers since the deletion process can be computer-automated and data deletion is encouraging carriers to spend less by maintaining less storage data.
Moreover, we suspect that even an aggressive policy would not interfere significantly with law enforcement efforts since CPNI must already be retained for 18 months [CITE 47 CFR 42.6]. Carriers have no legal obligation to better assist law enforcement, but they do indeed have a legal responsibility to their own consumers to minimize unauthorized data disclosure.
Commenter CTIA opposes data destruction by claiming that “no security principle makes older records more susceptible or new records less susceptible to fraudulent disclosure.” Though this is true, destroying data will guarantee that fraudulent disclosure of older records will never occur in the future — the policy of deletion represents the best security principle possible. We point out that no carrier comments thus far submitted have expressed any strong objections to the data retention guidelines proposed in EPIC’s petition. [CITE original EPIC petition]
We are also concerned about the security of other stored communications data such as voicemail, text and photo messages sent among consumers. We have little public information as to whether carriers cache this sensitive data and ask the Commission to consider if this data is subject to the same rules as CPNI during the rulemaking process.
I am a member of the group exploring notification schemes, described in 21-23 of the NPRM. This post is an attempt to summarize our collective conclusions from Tuesday’s class, with a few additional caveats of my own. (I’ll try to keep straight which ones are which.) In our discussion, we determined that we were actually interested in three or four very different situations that might require consumer notification, each with its own special considerations.
The first, consumer notification of large-scale security breaches that expose personal information, is already under independent consideration in many states. Such mass breaches are most likely to occur due to cracking attacks or physical theft. In addition to fulfilling the public’s right to know about such incidents, such notification would encourage companies to institute better security measures, enable consumers to take protective measures after breaches. We would like to express support for such legislative efforts, but believe that additional FCC rules would be redundant.
The next situations involve “routine uses” of CPNI, both within the company’s “total service relationship” with the customer and any additional releases of the information that the customer might approve. I believe our consensus was that the benefits of notification might in general be similar to the aforementioned case of large breaches, but targeted against pretexting and insider leaks at a relatively low cost and on an on-going basis that could provide for better fraud detection by the carriers themselves. Informing the consumer of every internal carrier use of CPNI would be overly burdensome and confusing given the low risk involved in such transfers, but routine consumer notification whenever CPNI records are accessed, either by the consumer or by third parties, would increase consumer awareness and hamper the practice of pretexting. The FCC needn’t stipulate the specific notification method, as carriers would be more amenable to a rule that offered them some latitude. However, it’s likely that this can be done at low cost, just as I receive free text messages from Verizon Wireless every monthinforming me that this month’s bill is online. Alternatively, a carrier might print notifications on the bill itself.
However, I have a number of concerns about the real-world effectiveness of routine notifications. Like fine print, a routine notification of this sort is likely to be couched in technical language (e.g. the acronym CPNI itself) and ignored by the consumer. Furthermore,if notification is significantly lagged, as on a monthly bill, it might provide ineffective information for the carriers trying to combat pretexting or for consumers concerned about identity theft. It may also be difficult for the average consumer to differentiate between legitimate and illegitimate accesses of CPNI, especially days and weeks after the fact. Finally, if the decision to opt into increased privacy protections is left to the consumer, it will be underutilized. For these reasons, I believe that notification must be mandatory and used in conjunction with an improved consumer authentication system. Additionally, the FCC must take care to craft specific guidelines as to what is and is not an acceptable method of notification.
That brings me to the possibility of using known secure channels to pre-verify data releases, for instance, fulfilling requests only from the phone number associated with the account. Though more closely related to authentication than notification, such a scheme might use many of the same methods considered above. Compared to the methods previously discussed, pre-verification offers the unique benefit of keeping Pandora’s personal information box closed; after such information is wrongly released, it is hard to erase from semi-public knowledge. However, while pre-verification may be the most effective preventative method against pretexting, our group as a whole expressed concern that it could be significantly burdensome to the consumer.
Personally, I believe the inconveniences are minor compared to the great increase in data security they represent. NKW points out that “notifying end users would lead to more investigations.” Don’t we want to avoid investigations? Investigations are often costly, lengthy, embarrassing, and unfulfilling to the parties involved. In my view, pre-verification is an excellent policy precisely because it leaves little wrongdoing left to investigate.
In summary, notification (especially the “routine” notification in case #2) is compelling because of its extremely low cost compared to the other privacy protection methods our class discussed. It also appeals to the consumer-rights and normative arguments that, whatever happens, the end user has a fundamental right to know where his data is going and choose his carrier accordingly, regardless of the effectiveness of the method.
For your reference, the following is a summary of the comments of Verizon Wireless to the FCC concerning CPNI. Their comments seem are extremely focused toward the question of whether to allow uses of CPNI outside the “total service relationship” with a customer under an “opt-in” or a “notice and opt-out” framework. Notice, in this context, is not the same as the notification schemes we have been discussing in class, but rather notice that it is possible to opt out. The meaning of the term “total service relationship” is somewhat unclear; I’m certain it’s a reference to previous FCC rules, but I have not been able to find a good formal definition. My closest estimate is that it refers to internal uses of CPNI directly related to provision of the customer’s service, which may or may not include a minor amount of very directly targeted marketing.
Verizon Wireless’s comments focus not on the question of acceptable use of CPNI, but whether a “opt-in” requirement or a “notice and opt-out” method is more appropriate for carriers’ use of CPNI beyond that involved in “total service” approach. On this question, they take a largely legal stance rather than discussing CPNI as a matter of policy, with a two-part argument:
1. A “notice and opt-out” regime is sufficient to protect consumer privacy.
Verizon supports this assertion by citing the Gramm-Leach-Bliley Act, which protects more sensitive financial data under a notice and opt-out regime, in addition to previous FCC rules.
2. An “opt-in” regime would eventually face insurmountable legal challenges.
Verizon here cites US WEST v. FCC protecting First Amendment rights to commercial speech, and the Supreme Court’s Central Hudson test requiring restrictions be “narrowly tailored.”
In other words, if a “notice and opt-out” scheme is sufficient, then the more burdensome “opt-in” scheme is illegal.
From a policy perspective, this isn’t too interesting. In the process of making these arguments, however, Verizon Wireless does mention numerous benefits of the expanded use of CPNI by carriers. Broader use of CPNI for marketing would allow carriers to “market efficiently” and “encourage vibrant competition.” Verizon further claims that the consumer, too, would benefit from fewer annoyances. Customers would not have to receive calls from carriers soliciting “opt-ins,” nor be bothered byuntargeted, irrelevant advertising and information.
What does this mean for our class debate? I’m not sure these comments are terribly useful, however, they highlight a few interesting attitudes. One is the recourse to legal standards. It seems to me Verizon Wireless is choosing to focus on the laws that currently defend the status quo, rather than on the merits of the existing policy for all parties. Verizon glosses over concerns from the Opt-In Coalition that opt-out notices will be hidden in fine print and obscured in technical language. The benefits to consumers they cite — namely, fewer telemarketing calls — seem paltry compared to privacy concerns. My second observation is that Verizon’s concerned enough over this single questionof “opt-in” versus “opt-out” to compose an entire comment on it, yet it hasn’t been addressed much in our discussions of notification. Although it’s difficult to respond directly to the legal point in the Verizon Wireless comment without constructing legal arguments of our own, it’s not a point we should leave unconsidered.
Recently the FCC released a notice requesting comment on what additional steps they should take in order to protect the privacy of consumers phone records. This is my group’s draft of our thoughts on encryption as a solution to data brokers illegitimately acquiring such records.
-Avi
Encryption
Encryption is the process of obfuscating information so that it is unreadable without additional knowledge. Generally the special knowledge required to discover (decrypt) the original information is knowledge of which process was used to encrypt it, as well as knowledge of a specific piece of information, a ‘key,’ to unlock the encryption. When encryption is done well it is generally not possible to uncover both these pieces of information simply by examining the encrypted data.
Where Encryption is Effective
It is clear that a carrier would need to have at its disposal a means of decrypting the data. We recognize that CPNI data is used for legitimate business purposes, and so it is meaningless if it cannot be made readable. Some employees at the carrier must have access to a decryption device in order to perform their jobs.
Carriers also provide means of giving users access to their own CPNI. We do not dispute that these means should be available; we only note that CPNI cannot be disclosed to the user in encrypted form or they would not be able to read it. In order to provide such a service, carrier’s customer service representatives must have at their disposal a method of releasing decrypted CPNI data to the user to whom it belongs.
It follows that encryption is emphatically not a solution to the problems of pretexting and dishonest insiders. If someone has convinced a customer service representative that they should be given certain CPNI data, the data will be given to them in plain text. If a carrier employee is inclined to feed CPNI data to data brokers they will be able to do so if they have been given access to decrypted CPNI data in order to perform their job.
We believe that encryption of stored data is an effective counter-measure against two methods of acquiring CPNI data: cyberattack and physical theft of data.
Encryption and Cyberattack
In examining the effectiveness of encryption in countering cyberattack on carriers it is necessary to divide cyberattacks into two categories: attacks carried out by interacting with a carrier’s web site and attacks in which a data broker gains direct access to a carrier’s database.
EPIC notes that a data broker might crack a user’s online account with the carrier in order to obtain CPNI data. A carrier’s web site, like a customer service representative, must be able to give a user’s decrypted CPNI data to them. An attack on the web site would allow a data broker to bypass the authentication mechanisms of the web site in some way. Such attacks are analogous to deceiving a customer service representative by pretexting. Encryption is not effective against this sort of attack, as the web site, like the customer service agent, will simply display the decrypted CPNI data once convinced of the user’s identity.
We do agree that encryption could help in mitigating the damage dealt by a cyberattack where a data broker fraudulently gains direct access to a carrier’s database. In such an attack the attacker would be forced to go to the additional trouble of figuring out which encryption scheme and which key were used.
While encrypting data can help against some forms of cyberattack, we are not in a position to comment on the prevalence of such forms of cyberattack as means of acquiring CPNI data relative to other methods like pretexting.
Encryption and Physical Theft
It is common practice for databases to be copied and stored for recovery in case of an accident or some need for older data. There is no doubt that, if backup copies were encrypted, physical theft of backups would be a pointless endeavor. We doubt, however, that physical theft is the primary method, or even a common method, of illegitimately acquiring CPNI data.
EPIC notes that many data brokers claim to be able to obtain CPNI data in several hours or days. We doubt that physical theft could be carried out often enough to substantiate this claim. Mandating encryption to guard against physical theft might be a good idea, but if our goal is to counter data brokers then the statute would be mostly unrelated to the goal.
Carrier’s Reservations and Responses
Carriers have commented that data is already encrypted ‘where appropriate’ and that encrypting stored records would be costly. We find these two statements contradictory. If some data is currently encrypted, then infrastructure for the encryption and decryption of data must already be in place. We do not think it likely that it would be extremely costly use in place infrastructure to encrypt and decrypt additional data.
Carriers have also argued that encryption would slow legitimate inquiries for CPNI. We do not believe this to be true. There are varying types of encryption, but it is possible to choose a method that is both secure and fast. In the case of a customer interacting with a carrier’s web site we believe that the communication time between the web site and the customer’s computer will be far greater than the time required to decrypt the relevant CPNI data. As such, customers should not experience any noticeable slow down.
We believe that the most powerful criticism of encryption as a means of mitigating inappropriate disclosure of CPNI data is that encryption provides benefits largely unrelated to that goal. As discussed above, encryption cannot stop pretexting or dishonest insiders, and is only effective against some forms of cyberattack. This does not mean that such forms of cyberattack are not worth guarding against.
Recommendations
We find it somewhat troubling that CPNI data is encrypted ‘where appropriate,’ not because all CPNI data should be encrypted, but because this represents individual carriers’ understandings of which pieces of CPNI data are worth protecting. If only to encourage baseline security practices, we believe that categories of CPNI data that must be encrypted should be established.
We recommend that any piece of CPNI data that might be used as personal identification of a customer (i.e. name, address, phone number, social security number) should be required to be encrypted. In this way CPNI data that is acquired via cyberattack would not be valuable to data brokers as they would be unable to tie records to people without decrypting the data.
Small Carriers
We think that there might be a disproportionate burden on small carriers if, in order to meet the new standard of security, these carriers must upgrade their technology. Large carriers are likely to have significant technological resources and experience available. Small companies, on the other hand, are likely using software packages provided by third parties, and may not have the ability to edit such software. Therefore, requiring some minimum level of encryption might force small carriers to spend more money on new technology than they can afford. Instead of enacting legislation which applies equally to all carriers, it would be wise to specify a minimum yearly earnings threshold beneath which the legislation does not apply.