GROUPS DEBATE FCC'S REACH ON CONSUMER DATA DURING 911 CALLS

The National Emergency Number Assn. (NENA), Assn. of Public Safety Communications Officials (APCO) and National Assn. of State Nine One One Administrators (NASNA) sought a rulemaking or declaratory ruling from the FCC in May. They asked the agency to examine how Sec. 222 of the Communications Act and criminal code provisions in the Patriot Act and Homeland Security Act treated customer information sent to public safety answering points (PSAPs) during 911 calls. Sec. 222 protects the confidentiality of customer proprietary network information (CPNI). While the location of a customer usually would be treated confidentially, the law carves out an exception for emergency calls from commercial wireless users. Sec. 222 said call location details could be released to a PSAP to respond to a user’s call for emergency services. But the Homeland Security Act of 2002 made changes in the list of exceptions for when such communications could be disclosed. It included allowing disclosure to a govt. entity if a communications provider “reasonably believes” an emergency involving danger of death or serious physical injury to any person. The Patriot Act added similar language covering customer “records.” One issue raised is a 1996 Justice Dept. advisory to the FCC on wireless location language that allows the govt. to “require” disclosure of caller information during emergencies while newer statutory language says a provider “may” divulge such information. The groups argued that without a clear showing of congressional intent, it would be unfortunate to limit Sec. 222 disclosure to preclude “Good Samaritan” calls.

The Electronic Privacy Information Center (EPIC) urged the FCC to open a rulemaking to reconcile confusion between Sec. 222 provisions on customer information and newer language in criminal statutes such as the Patriot Act. EPIC said in comments late Fri. there were significant differences “that must be reconciled to reduce industry confusion about when and how to disclose subscribers’ location information in emergency situations.” EPIC said emergency services providers faced uncertainty about how to read the law. “The FCC should provide an explanation of how the statutes relate to each other so that wireless service providers will be better able to standardize their actions in emergency situations,” EPIC said. Clarification on how the Communications Act and criminal code intersect in that area also would help to harmonize the disclosure policies of wireless carriers, the group said.

EPIC said the FCC should: (1) Clarify that the definition of a user in Sec. 222 “must be interpreted with regard to whether it includes disclosure of the location information of a caller who is not personally in need of emergency assistance.” Such scenarios would include 911 calls made on behalf of another caller for someone needing emergency help. “Limiting disclosure of location information to users who personally require emergency assistance could increase response times in emergency.” EPIC disagreed with public safety groups that Sec. 222 should extend to disclosure of location information whether a caller personally needed assistance. Instead, that provision should be interpreted to require a caller’s consent before his or her location information could be disclosed when the caller didn’t require aid, EPIC said. “If the Commission does not institute a consent requirement, a dispatcher may have more power than the consumer himself to exercise control over the consumer’s information,” it said. (2) Clear up confusion on when a govt. entity can access customer records, with some statutory language carrying an “implied consent” interpretation and others allowing for disclosure only when there is immediate risk of death or serious physical harm. EPIC said, however, that such provisions shouldn’t be interpreted broadly to include property that was at risk as a justification for disclosure, as NENA suggested.

The issues raised by the public safety petition should be taken up with Congress, not the FCC, CTIA said. The group said E911 rules mandated that wireless carriers transmit every 911 call to a PSAP and provide those who could process it with a caller’s number and location. “While a wireless carrier must automatically transmit location information to a PSAP that is capable of receiving it as part of the 911 call, there is no Commission requirement to disclose this location information such as in response to a telephonic request from an agency or family member who asserts an emergency,” CTIA said. The Electronic Communications Privacy Act (ECPA) requires the govt. to serve a service provider with at least a subpoena if an agency is seeking customer records that include details such as name, address, phone numbers, call length and type of service. Disclosure of other information, such as caller location, requires the govt. to obtain a court order. “ECPA does not distinguish PSAPs or other government emergency response personnel from other law enforcement entities,” CTIA said. Sec. 222 isn’t in conflict with the ECPA on that point, because with limited exceptions it allows disclosure of customer proprietary network information except as required by law or with a customer’s approval. The Justice Dept.’s advisory is that a 911 caller “impliedly” consents to disclosure of his or her physical location when a 911 call is made. Only a subscriber to a service can consent to disclosure of his or her records, meaning the DoJ advisory doesn’t extend to a concerned family member or friend, CTIA said.

CTIA also disagreed with the petition’s argument that additions to the ECPA after Sept. 11 included disclosures for emergencies relating to destruction of property, not just risk of life. “It is hard to argue that Congress was unaware of the great property destruction caused by the September 11 attacks,” CTIA said. “That Congress nonetheless kept the exception for emergency disclosure narrow speaks volumes about congressional intent even if the words ‘death or serious physical injury’ somehow could be read to be ambiguous.” The FCC doesn’t have authority to update the ECPA in that manner, the group said.

Sprint agreed it would be helpful to have clarification of the line separating a customer’s “reasonable privacy interests” and legitimate public safety needs. If carriers had uniform and clear rules identifying what sensitive customer data could or could not be shared under different scenarios, it could help operators respond more quickly to public safety inquiries, Sprint said. The carrier said it had crafted appropriate procedures under current law. “Sprint, however, is still bound by the letter of the law,” it said. “The difficulty presented by the petition is that it is unclear that the Commission could grant it as a matter of law.” For example, the FCC doesn’t have the ability to redraw the line that Congress has set that limits Sec. 222 disclosure to cases when a caller and the person requiring emergency assistance are one and the same. Instead, Sprint urged the FCC to invite Justice to submit a legal memorandum on carrier obligations under federal criminal laws that applied to sharing customer information with PSAPs and how those duties under criminal law intersected with Sec. 222 of the Communications Act. After that filing is made, Sprint suggested the FCC could hold a workshop to examine alternatives for meeting the letter of the law and the needs of public safety.

Comments by NENA, APCO and NASNA underscored the importance of clarifying when protections for disclosure of information extend to a caller dialing 911 on behalf of someone else. The groups gave as an example a “protracted incident” in N.C. in which a series of fraudulent 911 calls were made. “What followed was a lengthy and harassing ordeal that could not be helped by the information ultimately supplied to public safety authorities through the wireless carrier,” the group said. “However, had the authorities known sooner that the available information could not lead to the caller, they might have pursued a different strategy earlier.” The groups said that in many cases wireless carriers didn’t have 24-hour service centers that were capable of receiving PSAP requests for customer proprietary network information during emergencies. The information available from suppliers of prepaid wireless service is sketchier because they typically receive less information from a customer when prepaid service is activated.