Mobile "Kill Switch" State Law Passed; Hackers Circumvent Mobile Lock

By Joy Tsai* and Nickolas Milonas

Minnesota recently became the first state to pass a “kill-switch” law, requiring all smartphones sold in the state after July 1, 2015 to include a security feature for owners to remotely disable their lost or stolen phones.  The “kill-switch” law aims to combat cell phone thefts, as the FCC estimates that nationally, one in three robberies involved a cell phone.  A Consumer Reports survey released last month found that 3.1 million Americans had cellphones stolen in 2013, which was almost double the 1.6 million thefts reported in 2012.  Allowing all smartphone owners to disable their devices after loss or theft is designed to deter theft in the first instance.  Some smartphone manufacturers already provide this security feature, and industry groups like CTIA note an industry-wide voluntary effort to combat theft, making Minnesota’s additional antitheft law unnecessary.  For example, Apple iPhones require user IDs and passwords for access, and include a remote lock and wipe feature to erase all content.

Even with such industry and legislative action, a recent alleged hack into Apple’s iCloud system has raised concerns about the effectiveness of such efforts.  A pair of hackers announced that an iCloud security vulnerability allowed them to disable the anti-theft deterrent “Activation Lock” feature on Apple’s devices.  The hackers claimed that by placing a computer between an iPhone and Apple’s servers, the iPhone would mistake the computer for the server, allowing the hackers to bypass the iPhone’s Activation Lock deterrent.  The hackers took to Twitter, announcing that their program unlocked over 10,000 devices in five minutes.  The hackers claimed that they contacted Apple in March about the security vulnerability but received no response.  While this hack highlighted unlocking stolen devices, other hackers have reportedly remotely locked iDevices and then sought ransom from the devices’ owners. These developments illustrate the continued back and forth between regulators, industry, and consumers in their efforts to combat mobile-device theft.

*Joy Tsai is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.

Mobile App Privacy Class Action Suit Largely Defeated

By Mike Pfeifer* and Nickolas Milonas

In the latest development of ongoing concerns regarding mobile data privacy, Apple, major app developers, and social media networks (such as Facebook, Twitter, and Electronic Arts) recently succeeded in dismissing all but one of the claims in a data privacy class action lawsuit.  The suit centered on the apps’ alleged data harvesting of consumers’ address books and other mobile data.  The federal court for the Northern District of California tossed out all but one of the various claims in the lawsuit, which included alleged violations of both federal and state consumer protection laws, as well as violations of common law.  The class action combined four suits filed after it was discovered that a mobile photo sharing app, Path, secretly obtained information from consumers’ address books and calendars.  

Apple avoided liability under the California Comprehensive Computer Data Access and Fraud Act (CDAFA), which prohibits companies from, among other things, accessing computer networks in order to facilitate the wrongful harvesting of user data.  Plaintiffs argued, among other things, that Apple was liable because it (i) published certain apps to its App Store, and (ii) encouraged of the development of the certain app features through guidelines and tutorials provided to developers.

With respect to the first theory, the court held that the Communications Decency Act (CDA) preempted the state law claim by shielding Apple from liability as a web publisher.  The CDA protects from liability web publishers that re-post third-party content in a neutral manner.  As for the second theory, the court found that Apple’s guidelines and tutorials amounted to actions that contributed to the development of the alleged illegal content.  This triggered the “information content provider” exception to CDA immunity that applies to companies that create and develop prohibited content, as opposed to simply re-posting it from a third-party.  Nevertheless, Apple escaped liability under this second theory because of a technical subtlety.

Additionally, the court found that the plaintiffs did not rely upon any particular representations or advertising campaigns Apple made about app privacy when purchasing their mobile devices.  Although the court previously ruled in favor of plaintiffs on this issue, on further review, it determined that in order to allow such a claim to proceed, a plaintiff must have done more than simply visit Apple’s App Store.  While the website represented that the apps in question ran in an environment safe from data sharing, there was little evidence that plaintiffs actually saw or relied upon that representation.

The court likewise held that Apple did not have any affirmative duty to disclose the potential danger of privacy infringement stemming from use of the apps in question.  A products liability claim failed because the court found that mobile address books not constitute property for which there can be a physical harm.

The court spared the app developer defendants, including the designer of the popular mobile device game “Angry Birds,” from liability under the Electronic Communications Privacy Act and Texas and California wiretap statutes.  However, the court allowed the plaintiffs’ “intrusion into seclusion” common law claim to proceed, noting that a jury should decide whether the harvesting of data from address books is “highly offensive,” the legal requirement once an individual’s reasonable expectation of privacy has been satisfied.

As more consumers access, create, and store content on mobile devices, issues surrounding data privacy, as well as the legal parameters of accessing mobile data, will necessarily continue and develop.

*Mike Pfeifer is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.

FCC Privacy Rules Updated for Smartphone Era

By Nickolas Milonas, Marc Martin, and Marty Stern

The Federal Communications Commission adopted a Declaratory Ruling that updates and broadens the scope of the FCC’s customer proprietary network information (CPNI) rules applicable to customer information stored on mobile devices.  Specifically, the ruling clarifies that wireless carriers have the same obligations to protect CPNI collected and stored on mobile devices using carrier software tools, as they do for CPNI collected through network facilities.  The Declaratory Ruling does not apply to third-party app developers, apps that customers download from an app store, nor to device manufacturers or operating system developers.  Commissioner Jessica Rosenworcel noted that the rules were in need of updating because the last time they were, the iPhone did not yet exist.

Under the existing rules, wireless carriers may use wireless devices to collect information regarding network use.  This type of information can include phone numbers of calls made and received, duration of calls, and the location of the device during the call.  Carriers use this information to monitor network congestion and improve network performance.  The FCC specifically recognized these benefits of carriers collecting CPNI on mobile devices and made clear that it was not barring carriers from doing so.  The Declaratory Ruling found, however, that when this information is stored on the mobile device of a customer, it may be vulnerable to unauthorized access and should be subject to similar protections as customer information maintained on carrier networks.  Consequently, the Declaratory Ruling requires wireless carriers to take “reasonable precautions” to safeguard that data, just as if the carrier was collecting the information from its network facilities, provided that the data is collected at the carrier’s direction and the carrier or its designee has access to or control over the information.  The Declaratory Ruling does not mandate a specific set of precautions or safeguards, but instead leaves it to each carrier to determine its own means of appropriate protection.

Cell Phone Unlocking Ban Criticized by White House and FCC Chairman

By J. Bradford Currier and Nickolas Milonas

The ban on unlocking cell phones to enable their use on different wireless networks announced late last year may be reconsidered following recent criticism of the rule by the White House and FCC Chairman Julius Genachowski. As we discussed here previously, the Copyright Office of the Library of Congress announced the ban as part of its triennial review of the copyright exemptions under the Digital Millennium Copyright Act, which eliminated an exemption for unlocking devices in place since 2006. Under the new rule, devices purchased before January 26, 2013 can still be unlocked by users, but devices bought after that date can be unlocked only with the carrier’s permission, even after the service contract expired.

The unlocking ban drew criticism, and a public petition was soon started on the White House website asking the President to support legislation making unlocking legal and to request that the Copyright Office reconsider its decision. After receiving over 100,000 signatures, the White House responded in support of the petition, stating that it was “common sense” that consumers who purchased cell phones and are no longer bound by service agreements should be able to use their devices on another network. The White House argued that unlocking ensured a “vibrant” wireless market and was strongly supported in the recommendations of the National Telecommunications and Information Administration to the Copyright Office. The response also noted that permitting unlocking is particularly important for secondhand devices that consumers may buy or receive as gifts. 

FCC Chairman Genachowski echoed the White House’s response, stating that the ban “raises serious competition and innovation concerns.” As the Copyright Office is within the Library of Congress, an agency of the legislative branch, the White House and the FCC Chairman agreed to work together with Congress to develop “legislative fixes,” clarifying that copyright law does not prevent consumers from switching carriers when they are no longer bound by a service agreement. The Copyright Office subsequently responded to the criticism, stating that the unlocking ban “would benefit from review” by Congress and was not meant to foreclose broader public policy discussions on the issue. 

Consumer groups praised the White House and FCC’s actions and argued that the unlocking ban should be reconsidered as part of a comprehensive review of current copyright laws. In contrast, wireless industry groups argued that reconsideration of the ban would be unfair to carriers because they often offer consumers significantly discounted prices for devices in exchange for long-term service agreements. 

While the support of the President and FCC places pressure on Congress to act on the unlocking ban, industry observers note that a legislative solution regarding unlocking may be hard to reach in the currently divided Congress. The current political climate has not stopped members of Congress from announcing efforts to craft such legislation, but it remains to be seen whether efforts to overturn the unlocking ban will be successful.

Data Privacy Update: FTC Releases Mobile Privacy Report and Settles Action against Path; Facebook to Identify Tracking Advertisements

By Nickolas Milonas, Marc Martin, and David Tallman

In a trio of recent data privacy developments, the FTC published mobile data policy recommendations, Path settled an FTC action regarding allegedly unlawful data collection, and Facebook will now tell users which ads are tracking their online activity.

The FTC recently released a staff report calling on mobile services to make their data policies more transparent and accessible to consumers. The report makes recommendations for mobile platform providers, application developers, advertising networks, and other key players in a rapidly expanding marketplace. The recommendations focus on providing consumers clear and timely disclosures about what consumer data is collected and how that data may be used. The report results in part from a May 2012 FTC workshop in which representatives from the industry, academia, and consumer privacy groups examined privacy risks and disclosures on mobile devices. 

Noting the expansive growth of services offered on mobile platforms, the report recognizes unique privacy concerns rooted in the “unprecedented amounts of data collection” possible from a single mobile device. The report also notes consumers are increasingly concerned about their privacy on mobile devices, stating “less than one-third of Americans feel they are in control” of their mobile personal data. 

With those concerns in mind, the report offers recommendations to improve mobile privacy disclosures. These recommendations are consistent with the broad principles previously articulated in the FTC’s prior March 2012 Privacy Report, which generally called upon companies handling consumer data to adhere to the core principles of “privacy by design,” simplified consumer choice, and greater transparency. The staff report elaborates on these general principles by providing guidance to address the unique challenges presented in the mobile environment (e.g., limited screen space, the centrality of platform and operating system providers, etc.) Among other recommendations, the report suggests: 

  • Developing privacy best practices and uniform, short-form disclosures;
  • Providing just-in-time disclosures to consumers requiring affirmative consent before allowing apps to access sensitive content like geolocation, contacts, or photos;
  • Developing a one-stop “dashboard” to review content accessed by apps; and
  • Offering a “Do Not Track” mechanism on smartphones to prevent third-parting tracking at the operating system level.

On the heels of the staff report, the FTC also announced a law enforcement action against Path, a mobile-only social network accused of collecting user data without consent. Through its social networking service, Path’s app allows users to upload and share content, including photos, comments, location data, and even the names of songs that the user plays. Among other allegations, the FTC claimed that the Path application automatically collected and stored personal information from users’ mobile device address books without the users’ consent (including names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth). The agency also alleged that Path violated the Children’s Online Privacy Protection Act by collecting personal information from approximately 3,000 children under the age of 13 without parental consent. Path settled with the FTC on the same day that the agency filed its action. Path agreed to pay $800,000 in fines, delete all information for users under 13, and submit a comprehensive privacy plan with updates/assessments every other year for the next 20 years. 

Finally, Facebook recently announced it will alert users to advertisements that are based on or track browsing history. When users are logged in to their Facebook account and hover over ads with their mouse, a new pop-up icon will alert users if they are being tracked. The feature is the product of an agreement between Facebook and the Council of Better Business Bureaus, and users are still able to opt out of brand-specific ads, as well as ad tracking altogether.

These developments highlight the continuing regulatory focus on online privacy issues, particularly in connection with social media and mobile applications.

Facebook App Offers Free Phone Calls Over Wi-Fi

By J. Bradford Currier and Marc Martin

In a move likely to further disrupt the voice services market, Facebook recently announced that it will offer free calls via Wi-Fi for users of its Messenger app on Apple devices in the United States. The Messenger calling feature, tested in Canadian markets earlier this month, allows users to “call” their Facebook friends who have installed the Messenger app and linked their mobile number with Facebook by clicking their contact information. While data charges will still apply for Messenger calls made over a wireless carrier’s 4G or 3G network, there will be no separate charge for calls made over a device connected to the Internet via a Wi-Fi connection. Facebook’s announcement marks another example of the growing trend of using mobile apps to end-run traditional public switched telephone network (“PSTN”)-based voice services.

While Messenger will allow users of Apple’s mobile operating system to call Facebook friends, calls to landlines or devices using non-Apple operating systems are not currently available. The Messenger app can be used to make calls not only on the iPhone, but any device running Apple’s mobile operating system, such as the iPad tablet. Consumers with Messenger already installed on their Apple device will not need to update the app to access the new calling feature, which was automatically downloaded to existing users. Facebook has not indicated when the Messenger calling feature will be available in other countries or for non-Apple operating systems. 

Industry observers praised the new Messenger features as critical for consumers with poor wireless network coverage or who want to conserve cell phone minutes and costs. However, Facebook may face opposition from the wireless industry, which may view the Messenger app as an unfair competitive threat. If the wireless industry attempts to block the Messenger app, it could result in an interesting test of the “no blocking” provisions of the FCC’s Open Internet Order (i.e., net neutrality), which generally prohibit mobile wireless providers from blocking lawful applications that compete with the provider’s voice or video telephony services. In addition, if the Messenger app begins to offer the capability to make calls to and receive calls from the PSTN, it would be subject to the same regulatory requirements applicable to PSTN-interconnected VoIP service. 

Depending on the traction Facebook Messenger gets, the service has the potential to further disrupt markets for traditional landline voice services, which are already facing pressure from the wireless industry and interconnected VoIP providers.

Wireless Data Roaming Rules Upheld by D.C. Circuit

By J. Bradford Currier, Marc Martin, and Marty Stern

Mobile wireless data providers must offer roaming agreements to competing carriers on “commercially reasonable” terms following the D.C. Circuit Court’s decision to uphold rules first adopted by the Federal Communications Commission in 2011. The FCC’s data roaming requirements were designed to supplement existing roaming obligations on mobile carriers that only applied to voice services by facilitating access to data services when customers travel outside of their providers’ networks. As we reported previously, the data roaming rules were adopted by a closely-divided FCC and were subsequently challenged by Cellco Partnership, more commonly known as Verizon Wireless.

Verizon Wireless challenged the data roaming obligations on three grounds, arguing that: (1) the FCC lacked statutory authority to impose “common carrier” type rules on mobile data providers; (2) new rules were unnecessary because mobile data providers were already entering into voluntary roaming agreements with competing carriers; and (3) roaming obligations would reduce incentives to expand wireless infrastructure if providers must share their networks with competitors.  Verizon Wireless alleged that the roaming requirements would unfairly benefit smaller carriers with limited networks at the expense of larger providers. In response, the FCC stated that the new rules did not impose common carrier type regulations on mobile data providers and the requirements were necessary in order to prevent larger carriers from excluding smaller providers from their networks. 

The D.C. Circuit began by noting that the FCC may not impose common carrier type obligations on providers of “information services,” including mobile data providers. However, the court found that the data roaming rules allow providers to negotiate the terms of their roaming arrangements on an individualized basis and do not require providers to serve other carriers indiscriminately on standardized terms. While the court recognized that the data roaming requirements “plainly bear[] some marks of common carriage,” the court deferred to the FCC’s determination that the new rules did not amount to common carriage regulation because providers can negotiate flexible terms and conditions. The court further concluded that the data roaming rules did not constitute an unconstitutional taking of Verizon Wireless’s data network or represent arbitrary and capricious rulemaking. Although supporters of the roaming rules also suggested that the court’s decision supports the FCC’s net neutrality rules currently subject to a separate appeal, the court in the data roaming case found that the FCC has explicit jurisdiction over wireless carriers under its broad authority over radio communications under Title III of the Communications Act.

FTC Chairman and Experts to Examine Mobile and Online Privacy in Upcoming Webcast

A live webcast program entitled Privacy Untangled, featuring Federal Trade Commission Chairman Jon Leibowitz and an expert panel will be carried on Broadband US TV on Friday, October 26, 2012, from 1:00-2:30 p.m. ET.

Balancing privacy with commercial interests has become increasingly complex and contentious, as businesses and government organizations rely on the collection, storage, and sharing of online and mobile consumer data. Recent regulatory initiatives, including the White House’s proposed Consumer Privacy Bill of Rights and related workshops, and the privacy enforcement actions and best practices reports of the FTC have placed evolving privacy practices in the spotlight. In addition, privacy watchdog groups continue to criticize the government’s privacy initiatives as insufficient, while service providers complain of the government over-reaching in its regulatory approach towards industry privacy practices.

An in-depth examination of these issues will be provided in a live webcast with co-hosts Marty Stern of K&L Gates and Jim Baller of the Baller Herbst Law Group. In addition to special guest FTC Chairman Jon Leibowitz, the program will feature an expert panel with Sue Kelley, American Public Power Association General Counsel; Deborah J. Matties, Attorney Advisor to FTC Chairman Leibowitz; Emily Mossberg, Principal at Deloitte & Touche LLP; Ross Shulman, Public Policy and Regulatory Counsel at the Computer and Communications Industry Association; Bernin Szoka, President at TechFreedom, and Peter Swire, former Chief Counsel for Privacy under President Clinton and current professor at the Ohio State University.

The panel will engage in a lively discussion regarding privacy issues and the government’s recent initiatives to adjust privacy regulations for an evolving online and mobile marketplace.

You can register for the webcast here (free registration required).

FTC Releases Mobile App Privacy and Advertising Guide

By J. Bradford Currier, Marc Martin, and Samuel R. Castic

Developers of mobile applications are urged to adopt truthful advertising practices and build in basic privacy principles into their products under guidance recently issued by the Federal Trade Commission. The guidance is aimed at providing mobile app start-ups and independent developers with marketing recommendations designed to ensure compliance with federal consumer protection regulations. The guidance follows recent actions by the Federal Communications Commission, the White House, states, private stakeholders, and the FTC itself to establish mobile privacy codes of conduct and safeguard consumer information. The FTC guidance focuses on two key regulatory compliance areas for mobile app developers: (1) truthful advertising and (2) consumer privacy.

(1)        Truthful Advertising – The guidance recommends that mobile app developers always “[t]ell the truth about what your app can do.” The FTC cautions mobile app developers that anything a developer tells a prospective buyer or user about their app can constitute an advertisement subject to the FTC’s prohibitions on false or misleading claims. As a result, mobile app developers are encouraged to carefully consider the promises made concerning their apps on websites, in app stores, or within the app itself. Specifically, the guidance reminds mobile app developers that any claim that an app can provide health, safety, or performance benefits must be supported by “competent and reliable” scientific evidence. The FTC notes that it has taken enforcement action against mobile app developers for suggesting that their apps could treat medical conditions and recommends app developers review the FTC’s advertising guidelines before making any claims to consumers.

The guidance also advises mobile app developers to disclose key information about their products “clearly and conspicuously.” While the guidance recognizes that FTC regulation does not dictate a specific font or type size for disclosures, mobile app developers are encouraged to develop disclosures that are “big enough and clear enough that users actually notice them and understand what they say.” The FTC warns mobile app developers that it will take action against mobile app developers that attempt to “bury” important terms and conditions in long, dense licensing agreements. 

(2)        Consumer Privacy – The guidance calls upon mobile app developers to build privacy considerations into their products from the start, also known as “privacy by design” development. The FTC suggests that mobile app developers establish default privacy settings which would limit the amount of information the app will collect. The FTC also recommends that app developers provide their users with conspicuous, easy-to-use tools to control how their personal information is collected and shared. The guidance pushes mobile app developers to get users’ express agreement to: (1) any collection or sharing of information that is not readily apparent in the app; (2) any material changes to an app’s privacy policy; or (3) any collection of users’ medical, financial, or precise geolocation information. At all times, mobile app developers should be transparent with consumers about their data collection and sharing practices, especially when the app shares information with other entities. 

The FTC also advocates that mobile app developers install strong personal information security protections in their products. In order to keep sensitive data secure, the guidance suggests that mobile app developers: (1) collect only the data they need; (2) secure the data they keep by taking reasonable precautions against well-known security risks; (3) limit access to a need-to-know basis; and (4) safely dispose of data they no longer need. Mobile app developers are also encouraged to establish similar standards with any independent contractors.

The guidance also pays special attention to the issue of mobile app protection of children’s privacy under the Children’s Online Privacy Protection Act (“COPPA”). The guidance reminds mobile app developers that they must clearly explain their information practices and get parental consent before collecting personal information from children if their apps are “directed to” kids under age 13 and keep such information confidential and secure. The FTC’s recommendations parallel its recently proposed rules designed to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. Mobile app developers are encouraged to contact the FTC or review the Bureau of Consumer Protection’s business resources when developing their privacy policies.

FAA Ban of Wireless Device Use on Aircraft to be Reexamined

By J. Bradford Currier, Marc Martin, and Marty Stern

Recognizing the ubiquitous nature of wireless devices in modern life, the Federal Aviation Administration has announced the establishment of a government/industry working group which will reexamine the rules governing passenger use of electronic devices during flight. Current federal regulations ban mobile phone use during flight, as well the use of laptops and other personal electronic devices below 10,000 feet, due to concerns that the devices could interfere with critical aircraft instruments. Critics suggest that the current rules are too restrictive and overstate the risks of airplane interference from personal electronic devices.

The working group will undertake a six-month inquiry into the proper technological standards for in-flight personal electronic device use and present its recommendations to the FAA. Critically, the group will not consider the airborne use of mobile phones for voice communications. The working group will be formally established in the fall and include “representatives from the mobile technology and aviation manufacturing industries, pilot and flight attendant groups, airlines, and passenger associations.”

The FAA also released a Request for Comments (responses due 60 days after publication in the Federal Register) seeking public input on the current restrictions on in-flight personal electronic device use. Specifically, the FAA seeks comment in nine areas:

  • Operational, safety, and security challenges associated with expanding personal electronic device use.
  • Data sharing between aircraft operators and manufacturers to facilitate authorization of personal electronic device use.
  • Necessity of new certification regulations requiring aircraft designs to tolerate personal electronic device emissions.
  • Information-sharing for manufacturers who have demonstrated electronic device/aircraft compatibility to facilitate new and modified aircraft designs. 
  • Development of industry standards for aircraft-friendly devices or aircraft-compatible modes of operation. 
  • Publication of aircraft operators’ personal electronic device policies.
  • Restrictions on personal electronic device use during takeoff, approach, landing, and abnormal conditions to avoid distracting passengers during safety briefings and prevent possible passenger injury.
  • Development of standards for systems that actively detect potentially hazardous personal electronic device emissions.
  • Technical challenges associated with personal electronic device use, and support from device manufacturers to commercial aircraft operators.

UpdateThe FAA’s Request for Comments has been published in the Federal Register.  Comments will be accepted until October 30, 2012.

Obama Administration Pursues Mobile Privacy Code of Conduct

By J. Bradford Currier and Marc Martin

The National Telecommunications and Information Administration (“NTIA”) will hold its first meeting on July 12, 2012 aimed at developing voluntary codes of conduct designed to provide consumers with clear information regarding how personal data is handled by companies which develop and offer applications for mobile devices. The NTIA’s planned meetings with stakeholders were first announced in February 2012 as part of the White House’s proposed Consumer Privacy Bill of Rights. The NTIA meeting comes as both the Federal Trade Commission and Federal Communications Commission have recently taken action to improve consumer transparency and privacy safeguards for personal information collected by mobile apps.

A number of stakeholders have already filed comments expressing their support for improving the clarity and comprehensiveness of privacy disclosures provided to mobile app consumers. However, a number of commenters noted that the rapid pace of innovation in the mobile app market and the relatively small screen sizes of current mobile devices will make long-term, definitive disclosure rules difficult to develop. While NTIA hopes to tackle a number of Internet policy topics, including copyright and cybersecurity issues, the organization chose mobile app privacy as the first meeting topic because it believes consensus on a code of conduct can be reached “in a reasonable timeframe.” NTIA expects the mobile app privacy meeting will serve as a useful precedent for later discussions involving other online consumer protection concerns.

The NTIA meeting is open to all interested stakeholders and a venue should be announced before the end of the month. Interested stakeholders are asked to inform NTIA online in advance if they plan to attend the meeting.

Mobile Device Privacy Inquiry Comment Deadlines Set by FCC

By J. Bradford Currier and Marc Martin

Interested stakeholders may now file comments on the Public Notice recently released by the Federal Communications Commission relating to safeguarding Customer Proprietary Network Information on mobile devices. As we reported previously, the Public Notice seeks information on a number of privacy issues, including the types of customer information collected by wireless service providers, the steps that should be taken by wireless service providers to secure such data, and the scope of wireless service providers’ obligations relative to the device manufacturer or software developer.

The Federal Register notice states that comments on the Public Notice must be filed by July 13, 2012, and reply comments must be filed by July 30, 2012.

FCC Seeks Comment on Mobile Phone Privacy Protections

By J. Bradford Currier and Marc Martin

The Federal Communications Commission recently released a Public Notice seeking comment on, among other things, how mobile wireless service providers safeguard customer information stored on user devices. The Public Notice was accompanied by an FCC Staff Report, discussing the privacy issues presented by location-based mobile applications, which collect and transmit information about a user’s physical location to the service provider in order to provide real-time services. The Public Notice requests comment on the types of customer information collected by wireless service providers, the steps that should be taken by wireless service providers to secure such data, and the scope of wireless service providers’ obligations relative to the device manufacturer or software developer, as set forth below.

The Public Notice seeks to update the record developed in response to a 2007 Further Notice of Proposed Rulemaking concerning the obligations of wireless service providers under the Communications Act to protect their users’ customer proprietary network information (“CPNI”). The Public Notice invites input on whether current data security practices meet consumer needs and whether developments in the past five years pose new risks to protecting CPNI. The FCC also request comment on the importance of certain factors when assessing a wireless service provider’s compliance with the CPNI rules, including:

  • Whether the device is sold by the service provider;
  • Whether the device only works on a single service provider’s network;
  • The degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information;
  • The service provider’s role in selecting, integrating, and updating the device’s operating system, preinstalled software, and security capabilities;
  • The manner in which the collected information is used;
  • Whether the information pertains to voice service, data service, or both; and
  • The role of third parties in collecting and storing data.

The Public Notice asks whether the FCC should adopt a declaratory ruling clarifying the application of these factors and the regulatory obligations of wireless service providers that collect sensitive consumer data. Comments will be due 30 days after publication of the Public Notice in the Federal Register, with reply comments due 45 days after Federal Register publication.

Online Video Captioning Rules Published in Federal Register

By Marty Stern and J. Bradford Currier

The FCC’s new closed captioning rules for previously televised online video were published in the Federal Register on March 30, 2011, with an effective date of April 30 and triggering additional deadlines for various IP video captioning requirements. The new rules implement IP closed captioning obligations required by the Twenty-First Century Video Communications and Accessibility Act of 2010 and initially proposed by the FCC in September 2011. Reports indicate that affected companies may launch legal and administrative challenges to the new rules now that they have been published.

The Report and Order adopting the rules consists of four key sections:

First, for owners, providers, and distributors of video programming, the new rules establish a regimented system for displaying closed captioning in both new and archived video content. The Report and Order defines video programming owners (“VPOs”) as “any person or entity that either (i) licenses the video programming to a video programming distributor or provider that makes the video programming available directly to the end user through a distribution method that uses Internet protocol; or (ii) acts as the video programming distributor or provider, and also possesses the right to license the video programming to a video programming distributor or provider that makes the video programming available directly to the end user through a distribution method that uses Internet protocol.” Meanwhile, the Report and Order defines video programming distributors (“VPDs”) and video programming providers (“VPPs”) identically as “any person or entity that makes video programming available directly to the end user through a distribution method that uses IP.”

Under the new regulations, VPOs will be required to include closed captioned files along with any video programming made available to VPDs and VPPs. The rules mandate that the quality of the required captioning be of “at least the same quality” as the captioning of the same programming when shown on television. Once they receive the required files, VPDs and VPPs must ensure the rendering or “pass through” of all required closed captioning content to end users, including through any equipment provided by the VPDs and VPPs such as television set-top boxes. The FCC obligated VPOs to establish a “mechanism” to make information available to VPDs and VPPs regarding whether certain video programming is subject to the closed captioning requirements on an ongoing basis. VPDs and VPPs which rely on the established mechanism in “good faith” will not be held responsible for determining whether captions are required for the programming files they receive. VPOs and VPDs may petition the FCC for case-by-case exemptions from the closed captioning requirements based on economic burden. The FCC declined to establish any categorical exemptions to the closed captioning requirements, but did indicate that de minimis failures to meet the new rules would not result in an actionable violation and regulated entities could achieve compliance through FCC-approved alternative means.

Second, the Report and Order established a deadline schedule for the captioning of new and archival video content. Prerecorded programming that is unedited for Internet distribution must meet the captioning requirement within 6 months of the March 30 publication date (September 30, 2012). Meanwhile, all live or near-live programming must be compliant within 12 months from publication (March 30, 2013), and prerecorded programming edited for Internet distribution must be adequately captioned within 18 months (September 30, 2013). For archival video programming content already available online without captions but which re-airs on television with captions, the FCC created an increasingly strict compliance schedule. In two years (March 30, 2014), such archival programming must be captioned within 45 days after it is re-aired. In three years (March 30, 2015), such programming must be captioned within 30 days after it is shown on television, with the timeline compressed to 15 days in four years (March 30, 2016). 

Third, the new rules broadly defined the types of “apparatus” that will be subject to the closed captioning obligations. The regulations cover not only physical devices such as television set-top boxes, personal computers, smartphones, tablets, DVD and Blu-ray players, but also all “integrated software” that is installed in a covered device by the manufacturer before sale or that the manufacturer requires the consumer to install after sale. By contrast, third-party video players independently installed by the consumer, but not required by the manufacturer to enable video playback, will not fall under the scope of the new rules. The new rules will also not extend to commercial equipment such as movie theater projectors or display-only monitors lacking playback capability. Critically, the FCC’s closed captioning requirements will no longer be limited to devices with screens larger than 13 inches, an exception originally established in the Television Decoder Circuitry Act of 1990

Manufacturers of covered devices will be able to petition the FCC for case-by-case waivers of the new rules due to “lack of achievability.” Whether compliance is achievable for a particular device will depend upon: (1) the costs of manufacturing a compliant device or software; (2) the technical and economic impact of compliance on the manufacturer and innovation; (3) the size and nature of the manufacturer’s operations; and (4) the extent to which the manufacturer offers other devices or software with accessibility features at differing price points.  As an alternative, manufacturers may also petition the FCC for a waiver by arguing that the device or software is “primarily designed” for activities other than receiving or playing back video programming. Beyond these exceptions, the FCC refused to create any categorical exemption to the closed captioning requirements for any specific device or software. All covered devices and software must achieve compliance with the closed captioning rules by January 1, 2014, although the FCC expects device manufacturers to take accessibility into consideration as early as possible during the design process for new and existing equipment.”

Fourth, the FCC adopted certain technical standards governing the color, size, font, opacity, and other aspects of the captioning text recommended by the Video Programming Accessibility Advisory Committee in July 2011. Additionally, although the FCC declined to adopt a mandatory format for the interchange or delivery of closed captioning content, the new rules established the Society of Motion Picture and Television Engineers Timed Text format (“SMPTE-TT”) as a “safe harbor” format. The FCC stated that the SMPTE-TT format met all of the technical aspects of the new rules and was already being used to reformat television content for Internet use. The FCC will continue to review industry practices for new safe harbor format options.

FCC's Comment Deadline Set for Online Video Closed Captioning NPRM

The FCC's Media Bureau announced the following comment deadlines for the FCC’s recently released Notice of Proposed Rulemaking to adopt closed captioning rules for video programming delivered by Internet Protocol: Comments:  October 18, 2011. Reply Comments:  October 28, 2011. As we reported previously, the NPRM proposes closed captioning requirements mandated by the Twenty-First Century Video Communications and Accessibility Act of 2010 (“CVAA”). The new rules would apply to a broader range of devices, including mobile devices, and content providers would be required to meet a strict schedule based upon the type of content captioned.  Notably, under the NPRM, the FCC's closed captioning rules would no longer be restricted to television receivers or to those devices with screens larger than 13 inches, an exception originally established in the Television Decoder Circuitry Act of 1990.  The CVAA requires the FCC adopt these rules by January 12, 2012.

FCC Proposes Closed Captioning Rules for Online Video

By Marc Martin and Marty Stern

Closed captioning of online video for mobile and other devices is a step closer to reality with the FCC's release of a Notice of Proposed Rulemaking in connection with its implementation of the Twenty-First Century Video Communications and Accessibility Act of 2010 (“CVAA”). The CVAA required the FCC to adopt rules providing for the captioning of video programming delivered using Internet Protocol or IP if that programming previously appeared on television with captions. The new captioning regulations would apply to a broad category of IP-enabled devices, such as personal computers, mobile devices, videogame consoles, Blu-Ray players, and television set top boxes. Affected programming distributors will be able to seek hardship waivers from the proposed rules and will not be held responsible for minor compliance failures. Comments will be due within 20 days after publication of the Notice in the Federal Register, with reply comments due a quick 10 days after the deadline for initial comments.

Tech companies have already submitted numerous comments to the FCC in connection with CVAA proceedings, cautioning the Commission against adopting burdensome compliance obligations which could hamper innovation. The NPRM proposed a deadline schedule for the captioning of content, with pre-recorded programming unedited for Internet distribution meeting the captioning requirement within 6 months of the publication of the final rules in the Federal Register, live or near-live programming compliant within 12 months, and pre-recorded programming edited for Internet distribution adequately captioned within 18 months. The FCC chose not to adopt a controlling technical standard for the delivery of IP-enabled closed captioning.

The FCC also proposes in the NPRM to:

  • Require video programming owners to send captioned files for IP-delivered video programming to video programming distributors and video programming providers along with program files;
  • Obligate video programming distributors and video programming providers to “enable the rendering or pass through of all required captions to the end user”;
  • Mandate that the quality of all required captioning of IP-delivered video programming to be of “at least the same quality” as the captioning of the same programming when shown on television;
  • Adopt methods for handling complaints alleging a violation of the new requirements; and
  • Seek industry input regarding when an “apparatus” will fall under the obligations of the CVAA and when it is “technically feasible” for an apparatus to comply with the proposed rules.

The NPRM follows in the wake of the FCC’s August order reinstating video transcription requirements for the “big four” television networks, large cable systems, and direct broadcast satellite services.