Consumers should be aware that “government transparency” also applies to the data consumers voluntarily provide to the FCC when they participate in a government-run broadband measurement program.
The most egregious aspect of these broadband measurement programs, however, is that the FCC kept the public in the dark for more than a year by failing to disclose that its mobile testing apps were collecting user locations (by latitude and longitude) and unique handset identification numbers that the FCC’s contractors can make available to the public.
The Federal Communications Commission (FCC) recently announced a new program to measure mobile broadband performance in the United States. The FCC believes it is “difficult” for consumers to get detailed information about their mobile broadband performance, and that “transparency on broadband speeds drives improvement in broadband speeds.” The FCC does not, however, limit transparency to broadband speeds. Consumers should be aware that “government transparency” also applies to the data consumers voluntarily provide to the FCC when they participate in a government-run broadband measurement program. Information collected by the FCC about individual consumers may be “routinely disclosed” to other federal agencies, states, or local agencies that are investigating or prosecuting a civil or criminal violation. Some personal information, including individual IP address, mobile handset location data, and unique handset identification numbers, may be released to the public.
This blog post describes the FCC’s broadband measurement programs and highlights the personal data that may be disclosed about those who participate in them.
Consumers who wish to participate in an FCC testing program should first read all of the applicable privacy policies to understand how the government and its third-party vendors will use their data. The FCC has not yet determined how it will implement its new mobile broadband measurement program, and is seeking public input about appropriate methodologies for testing mobile performance at an open meeting, which will be held today from 9:30 AM to 11:00 AM Eastern in the FCC’s Meeting Room (TW-C305) at 445 12th Street SW, Washington, DC 20554. The meeting will also be live streamed here. Given the FCC’s poor track record describing the information it actually collects, consumers should consider raising questions regarding the FCC’s privacy policies and testing methodologies at this open meeting.
The FCC’s Broadband Measurement Programs
The FCC’s new mobile testing initiative expands its ongoing “Measuring Broadband America” program. The current program measures the performance of residential wired and wireless broadband service in the United States using several different tests.
Under the “FCC SamKnows Broadband Community” program, the agency tests the broadband connections of residential consumers who volunteer to use a wireless router running custom software provided by SamKnows, a British company retained under contract by the FCC. The wireless routers, known as “White Boxes,” began shipping to U.S. consumers in September 2010. The FCC released its first report on wireline broadband performance in August 2011, and a second report in July 2012. All network traffic generated by consumers using SamKnows flows through the White Boxes, and continuously monitors personal consumer data until the participant affirmatively opts out of the program. SamKnows says its “goal is to embed [its] software suite into internet [sic] enabled devices . . . globally.”
In March 2010, the FCC made available a software-based broadband speed test (i.e., a test that does not require hardware supplied by SamKnows) for both wired and wireless Internet access. These tests are collectively known as the “Consumer Broadband Test.” The wireline test is still available in its “beta” version and allows consumers to choose between two testing companies: Ookla and M-Lab. The mobile version, which was developed by Ookla and appears substantially similar to Ookla’s own Speedtest.net app, is available for both the Google Android and Apple iOS operating systems and can be downloaded from their apps stores and the federal government’s official web portal. These apps monitor, collect, and report a consumer’s mobile data rates, latency, and user location when initiated on the handset.
Finally, consumers who do not have broadband Internet access available at their home can submit a “Broadband Dead Zone Reporting Form” to the FCC that includes their home address. The FCC is apparently using these reports to create a “Broadband Dead Zone Registry.”
Why Is the FCC Asking You to Help It Measure Broadband Speeds?
The FCC asserts that its tests are necessary because information regarding broadband performance is not readily available to consumers and could be inaccurate. Now that the FCC has gotten into the broadband speed testing market, however, other providers of these services have begun to question the accuracy of the FCC’s tests and whether there is a need for government testing.
When the FCC announced that it had contracted with SamKnows to measure wireline broadband speeds, Ookla stated that the FCC’s plan to conduct expensive tests that gather small samples of data similar to that which is already widely available in the market “offers little added insight into the discussion of the speed, quality, and availability of broadband connections across the nation and is an unacceptable waste of taxpayer money.” Ookla offers free broadband speed testing for wired and wireless connections at speedtest.net, free broadband quality testing at pingtest.net, and monthly snapshots of global broadband performance at Net Index. In fact, the FCC’s current mobile measurement apps are based on Ookla’s free speedtest.net app.
There are many other commercial sources of broadband performance available as well. For example, PC Magazine performs annual field tests of mobile broadband speeds in 30 cities nationwide using three vehicles over a three-week period. In its most recent tests, it completed 60,000 test cycles and published test results by region, carrier, and technology (3G and 4G).
Given the readily available commercial alternatives, there is no compelling reason for consumers to participate in the FCC’s broadband measurement programs. There is at least one very good reason, however, for consumers to avoid participating in the FCC’s tests. The tests collect your personal data, and once you’ve volunteered to provide it to the government, it can do virtually anything it wants with it.
The Privacy Act and Government Data Sharing
In its most recent Privacy Act filing, the FCC describes the personal information it maintains about consumers who participate in its broadband measurement programs:
- The street address, city, state, and zip code, of each individual who elects to participate in the Broadband Dead Zone Report survey and each individual who participates in both the wired and wireless versions of the Consumer Broadband Test;
- The Internet Protocol (IP) address of each individual who elects to participate in both the wired and wireless versions of the Consumer Broadband Test;
- The unique handset identification number of each individual’s smartphone used to access the mobile Consumer Broadband Test; and
- The location (in latitude and longitude) reported by each user’s handset at the moment the user initiates the mobile Consumer Broadband Test.
The use of this data is not, however, limited to the FCC.
The Privacy Act, 5 U.S.C. § 552a, governs the collection, use, and dissemination of personal information by the federal government and its contractors. The Privacy Act generally prohibits federal agency disclosure of records maintained on individuals, but that prohibition is subject to a number of exceptions. One exception allows a federal agency to share personal data with federal, state, or local agencies for civil or criminal law enforcement activities. Another exception includes “routine use,” which allows the use of personal data for “a purpose [that] is compatible with the purpose for which [the personal data] was created.”
The FCC’s privacy policy and system of records for its broadband measurement programs reveals that the agency makes liberal use of these exceptions. The FCC is routinely sharing this personal data with federal, state, or local agencies whenever “there is an indication of a violation or potential violation of a statute, regulation, rule, or order,” and with the Department of Justice when it is relevant to litigation. There are virtually no limits on the use or disclosure of personal data by the FCC’s contractors.
IP addresses, mobile handset location, and unique handset identification numbers may be shared with FCC software partners as part of the Consumer Broadband Test application. These partners may publish the IP address, mobile handset location, unique handset identification numbers, and broadband performance data, or otherwise make this information available to the public (but the IP address is not associated with a street address).
The FCC is thus allowing its contractors to publicly disclose personal information that the FCC itself cannot publish.
The most egregious aspect of these broadband measurement programs, however, is that the FCC kept the public in the dark for more than a year by failing to disclose that its mobile testing apps were collecting user locations (by latitude and longitude) and unique handset identification numbers that the FCC’s contractors can make available to the public. The FCC first proposed its system of records for broadband measurement on December 30, 2009, when the program was known as the “Broadband Unavailability Survey and Broadband Quality Test.” On April 7, 2010, after it launched the “Consumer Broadband Test” (including its mobile testing apps), the FCC revised its system of records to reflect the broadband measurement program it had actually implemented, with one critical exception: The FCC’s system of records did not disclose that its mobile testing apps collect user locations and unique handset identification numbers. The FCC also failed to flag the collection of this data in its Privacy Threshold Analysis, which was conducted in May 2010.
Although the FCC finally disclosed the collection of this data in a formal filing on July 14, 2011, the FCC’s privacy policy still fails to mention the collection of mobile handset locations and unique handset identification numbers. This information is also unavailable in the Android and iOS app stores or on USA.gov, where consumers are most likely to download the mobile apps.
Representative Ed Markey, the co-chairman of the Congressional Privacy Caucus, believes “Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information.” He introduced a bill this month that would require private companies to disclose the type of information mobile monitoring software would collect, where it would be sent, and how it would be used. The bill would also require that companies obtain consent from consumers before using sensitive information and – ironically – that such agreements be filed with the FCC and FTC. Markey may want reconsider whether the FCC should be given authority to oversee mobile privacy agreements given its own failures to disclose the type of data it collects and its acquiescence to its vendor demands to publicly disclose sensitive information.
Consumers who volunteer to participate in a government program deserve accurate and transparent disclosures regarding the personal information that will be collected and the protection that information will receive. The FCC hasn’t met that obligation in its broadband measurement programs. Consumers who are considering participation in the FCC’s new mobile measurement program should demand accountability from the FCC and its third-party contractors before agreeing to provide sensitive data.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.