Homeland Security, FBI, and DOJ visit FCC, outline concerns about pretexting reform

Five members of the Federal Communications Commission received a visit on Tuesday, September 19th from seven Federal law enforcement representatives, who "reiterated and elaborated on arguments made in their previous filings" on the FCC's ongoing proceeding on pretexting rules, according to their publicly filed ex parte notice.

Those "previous filings" may refer to Department of Justice/Homeland Security comments in opposition to proposed rules to protect consumers from "pretexters"—con artists who trick phone services into disclosing customer data, then sell it on the Web and elsewhere.

Homeland Security and the Department of Justice oppose proposals that would require phone companies to destroy older customer data and routinely notify customers first of a security breach.

EPIC's five reforms

On February 10th, the FCC opened a comment cycle requested by the Electronic Privacy Information Center (EPIC). The Commission's Notice of Proposed Rulemaking (NPRM) asked for public feedback on EPIC's five proposed security measures to protect customer phone data: security passwords set by customers, better tracking of customer records, record encryption, letting customers know if their data has been stolen, and limits to how long phone companies can keep records.

In response to public outcry over pretexting, the FCC had, over the previous four weeks, cited several prominent "data brokers" $10,000 each for refusing to fully respond to subpoenas about their activities. On January 30th the Commission warned AT&T and Allitel that they may not have been in compliance with protocols necessary to guard the personal records of their customers, security failures that could cost $100,000 in fines.

But in response to the NPRM, the Departments of Homeland Security and Justice filed objections on April 28th to several possible pretexting reforms. The two agencies opposed deleting older consumer phone information, or "customer proprietary network information (CPNI)" in FCC lingo.

"For law enforcement, such CPNI is an invaluable investigative resource," the Homeland/DOJ comment stated, "the mandatory destruction of which would severely impact the Departments' ability to protect national security and public safety. . . . In crafting any solution to the problems raised by the EPIC petition, the Departments urge the Commission to reject imposing a mandate to destroy invaluable information used by the Departments in many of their most important investigations."

The filing urged the Commission to "focus on security measures to protect all CPNI against unauthorized access rather than a rule that would also preclude lawfully authorized access."

The DOJ/Homeland Security comment also complained that some companies do not keep their records long enough, especially the data for flat-rate service plans. "This has significantly diminished the availability of call records that were historically made available for law enforcement," the briefing explained, and continued:

"While it is recognized that changes in the communications industry over the past decade have resulted in changes in the record retention practices of such providers, it must also be acknowledged that the nature and immediacy of the threat confronting public safety and national security has significantly changed and evolved such that the need lawfully to access these critical records has increased, not diminished.

As a consequence of these changes, the Departments believe it is necessary to re-examine the Commission’s existing rules which no longer fulfill critical public safety or national security needs in three key respects: 1) the scope of carriers and providers covered; 2) the scope of information and records covered, and; 3) the duration of retention of information and records."

"III. Any Notice Requirement Adopted by the Commission Should Include A Provision Requiring Advance Notice to Law Enforcement and, Where Appropriate, Delayed Notice to the Consumer"

In addition, the Homeland/DOJ comment objected to rules that would require companies to regularly notify their customers first in the event of an improper disclosure of their calling records.

"While the Departments strongly support prompt victim notification in the case of security breaches," the comment argued, "we believe any rule requiring such notification should also require that carriers first notify law enforcement authorities . . . " Homeland/DOJ lawyers said that they want to be allowed to request a "reasonable delay" in notifying consumers "where such notification might harm related law enforcement investigative efforts."

"[T]he Departments suggest that any new rules requiring customer notification in the case of improper CPNI disclosure include a requirement that carriers provide prompt notice to law enforcement and an opportunity for law enforcement to request delayed notification to the consumer," the filing concluded.

The Tuesday, September 19th meeting included one DOJ representative, four FBI attorneys, and two spokespersons for the Department of Homeland Security. They spoke with five members of the FCC, none of them commissioners.