Nowhere to hide: Mobile privacy and the FCC privacy rules repeal

On Monday, President Donald Trump signed a resolution repealing Federal Communications Commission rules that would have prevented internet and telecommunications service providers from selling users’ data without consent. The FCC privacy rules hadn’t taken effect, but many people praised the rules as a victory for consumer privacy. While the “disapproval” of the rule affects internet use broadly, in this article I wanted to focus on some of the unique ramifications this repeal will have on mobile data, devices, apps, and users.

What are the FCC privacy rules and why do they matter?

In October 2016, the FCC voted on rules that would require internet service providers (ISPs) to obtain permission from customers before sharing their user data with third parties. It’s nothing new for ISPs, wireless carriers, and technology giants (e.g., Google and Facebook) to collect this data. The FCC rules, however, suggested that consumers owned their user data and should have a choice about how that data is used — especially in terms of who can access it. ISPs and other companies collect data about users of their services to sell ad targeting to marketers and advertisers.

Last week Congress voted to eliminate the new rules before they took effect, reversing the previous FCC decision and giving ISPs free reign to sell consumer data to the highest bidder.

Dismissal of FCC privacy rules: Mobile effects

What mobile data can be collected and sold?

The original FCC rules required that ISPs obtain user consent before sharing sensitive information such as precise geo-location (defined as the real-world location of a mobile device), children’s information, health information, financial information, Social Security numbers, web browsing history, app usage history, and the content of communications.

What’s conspicuously missing from that list is voice and text messages and phone conversations, data regulated by a different set of rules. In an op-ed last week, former FCC chairman Tom Wheeler explained that while your conversations with a car dealership over the phone are protected, contact with that dealership that takes place over the internet can be collected.

The repeal does not empower ISPs to literally sell your information (e.g., a record including your name and what apps you use and what websites you visit). What they can sell is demographic targeting services (e.g., a service that allows an advertiser to reach males under the age of 30 that frequent a certain location in Illinois). This targeting service is not the same as selling activity history data itself. While carriers collect personally identifiable information, they typically sell data that has been anonymized.

I would encourage you to read your carrier’s privacy policy to better understand how they handle your data.

Why is the collection of that mobile data a concern?

Many people are concerned about mobile privacy. It’s disturbing to think about your mobile carrier profiling your activity — where you go, what apps you use, which sites you visit — and leveraging that information to sell ad targeting.

Another concern is the fact that a lot of the data ISPs can collect looks like data an attacker would target. As carriers and ISPs collect that data, it will create repositories that attackers may breach – consider compromises of Yahoo systems in 2013 and 2014. This sensitive data is often linked via a common identifier, such as mobile phone number, which enables an attacker to personally identify the data subject. Such info could also be used to target a group of users that have something in common, such as using a particular insecure app.

How is an ISP collecting this information any different than Google or Facebook collecting it?

One key difference is that the info Google and Facebook store while you use their service is essentially the price you pay for that service, as most of their features are free. Google and Facebook do not really hide the fact that advertising is their main revenue source, and they provide some tools for you to manage what info is shared from your profile. By contrast you pay a mobile carrier a monthly service fee for your mobile data usage, which is understood to be the price for the service. You expect them to move your data to the company or person you contact, and back to you – not necessarily to log, analyze and monetize your data along the way.

Another difference is in the scope of data they access. While services like Facebook collect information from your use of their services, your mobile carrier gathers information across all the services you use. The web URLs you access (through DNS lookups), as well as, data from factory-installed apps can span a wide range of your online activity. In reality, the gap between an ISP and companies like Google and Apple has narrowed, due to the many services bundled into Android and iOS, so this distinction may seem less relevant. But when you look at the stream of network data sent from a typical smart phone (which is all routed to the mobile carrier whenever you’re on 4G) it presents a huge amount of information.

How the FCC privacy rules repeal affects mobile apps

A case in point of how the FCC privacy rules might affect mobile apps is the Verizon AppFlash app. Verizon announced a partnership with Evie, an app search technology company, to launch AppFlash. According to the AppFlash privacy policy the app can:

“Collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”

The privacy policy also states who could have access to this information:

“AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.”

In response to an article from the Electronic Frontier Foundation (EFF) about the app, a Verizon representative stated that users need to opt-in to use AppFlash and can opt-out at any time. Thus far Verizon has rolled out AppFlash on one device (LG K20 V) in an effort to test the waters. The information collected by AppFlash falls within the same lines as data defined in the FCC privacy rules.

What can I do to protect my mobile privacy?

To start, review the privacy options available to you within your carrier account. Typically, carriers will give you some choice about how they can market to you, and even allow you to set limits on what data they can share. While it isn’t guaranteed that they won’t still collect the information, you can opt-out. Verizon customer privacy settings, for example, give users a choice as to whether Verizon can use or share what’s called Customer Proprietary Network Information and other data about you as part of their Business and Marketing Insights, or Relevant Mobile Advertising programs.

While some of these options are directly related to data collection and marketing, other options allow the carrier to use some of your information to assist third-party services (e.g., roadside assistance, which might request your location from the carrier). So, read each option carefully before opting out.

Private VPN software can help mask some of your data by encrypting it (even data transferred using insecure protocols), thereby making it unreadable to your mobile carrier and therefore without value to advertisers and marketers. However, even VPN apps aren’t perfect – or always trustworthy. Although the content is protected there is still some data that can be obtained even when using this method. For example data is encrypted in the VPN tunnel (from your mobile phone to the VPN server), but once it leaves the VPN server on its way to the actual destination, it is not encrypted. In addition, someone might side-step private VPN software installed to prevent snooping via a locally-installed app that collects data before it’s encrypted.