*Pages 1--34 from  Microsoft Word - 55047.doc*
 Federal  Communications  Commission  FCC  06-  10 
 Before  the  Federal  Communications  Commission 
 Washington,  D.  C.  20554 


 In  the  Matter  of 
 Implementation  of  the  Telecommunications  Act  of  1996: 


 Telecommunications  Carriers’  Use  of  Customer  Proprietary  network  Information  and  other 
 Customer  Information; 
 Petition  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer 
 Proprietary  Network  Information 


 )  ) 
 )  ) 
 )  ) 
 )  ) 
 )  ) 
 )  ) 


 CC  Docket  No.  96-  115 
 RM-  11277 
 NOTICE  OF  PROPOSED  RULEMAKING 
 Adopted:  February  10,  2006  Released:  February  14,  2006 
 Comment  Date:  [30  Days  After  Federal  Register  Publication  of  this  Notice]  Reply  Comment  Date:  [60  Days  After  Federal  Register  Publication  of  this  Notice] 


 By  the  Commission:  Chairman  Martin,  and  Commissioners  Copps,  Adelstein,  and  Tate  issuing  separate  statements. 
 I.  INTRODUCTION 
 1.  In  this  Notice  of  Proposed  Rulemaking  (Notice),  we  seek  comment  on  what  additional  steps,  if  any,  the  Commission  should  take  to  further  protect  the  privacy  of  customer  proprietary  network 


 information  (CPNI)  that  is  collected  and  held  by  telecommunications  carriers.  1  The  Commission  has  long  been  committed  to  safeguarding  customer  privacy,  and  its  rules  implementing  section  222  of  the 
 Communications  Act  require  carriers  to  take  specific  steps  to  ensure  that  CPNI  is  adequately  protected  from  unauthorized  disclosure.  2  This  Notice  directly  responds  to  the  petition  filed  by  the  Electronic 


 1  CPNI  includes  personally  identifiable  information  derived  from  a  customer’s  relationship  with  a  telephone 
 company,  irrespective  of  whether  the  customer  purchases  wireline  or  wireless  telephone  service.  Section  222  of  the  Communication  Act  of  1934,  as  amended,  (Communications  Act,  or  Act)  establishes  a  duty  of  every 


 telecommunications  carrier  to  protect  the  confidentiality  of  its  customers’  CPNI.  47  U.  S.  C.  §  222.  Section  222  was  added  to  the  Communications  Act  by  the  Telecommunications  Act  of  1996.  Telecommunications  Act  of  1996,  Pub. 
 L.  No.  104-  104,  110  Stat.  56  (codified  at  47  U.  S.  C.  §§  151  et  seq.)  (1996  Act).  2 
 Prior  to  the  1996  Act,  the  Commission  had  established  CPNI  requirements  applicable  to  the  enhanced  services  operations  of  AT&  T,  the  BOCs,  and  GTE,  and  the  CPE  operations  of  AT&  T  and  the  BOCs,  in  the  Computer  II, 


 Computer  III,  GTE  ONA,  and  BOC  CPE  Relief  proceedings.  See  Implementation  of  the  Telecommunications  Act  of  1996:  Telecommunications  Carriers’  Use  of  Customer  Proprietary  Network  Information  and  Other  Customer 
 Information  and  Implementation  of  Non-  Accounting  Safeguards  of  Sections  271  and  272  of  the  Communications  Act  of  1934,  as  amended,  CC  Docket  Nos.  96-  115  and  96-  149,  Second  Report  and  Order  and  Further  Notice  of  Proposed 
 (continued....) 
1
 Federal  Communications  Commission  FCC  06-  10 
 2 
 Privacy  Information  Center  (EPIC)  expressing  concerns  about  the  sufficiency  of  carrier  practices  related  to  CPNI.  3  As  the  EPIC  petition  points  out,  numerous  websites  advertise  the  sale  of  personal  telephone 
 records  for  a  price.  Specifically,  data  brokers  advertise  the  availability  of  cell  phone  records,  which  include  calls  to  and/  or  from  a  particular  cell  phone  number,  the  duration  of  such  calls,  and  may  even 
 include  the  physical  location  of  the  cell  phone.  In  addition  to  selling  cell  phone  call  records,  many  data  brokers  also  claim  to  provide  calling  records  for  landline  and  voice  over  Internet  protocol,  as  well  as  non-published 
 phone  numbers.  In  many  cases,  the  data  brokers  claim  to  be  able  to  provide  this  information  within  fairly  quick  time  frames,  ranging  from  a  few  hours  to  a  few  days.  We  find  this  conduct  to  be  very 
 disturbing  and,  accordingly,  we  grant  EPIC’s  request  and  initiate  a  rulemaking  to  determine  whether  enhanced  security  and  authentication  standards  for  access  to  customer  telephone  records  are  warranted. 


 II.  BACKGROUND 
 2.  Statutory  Authority.  In  section  222,  Congress  created  a  framework  to  govern  telecommunications  carriers’  use  of  information  obtained  by  virtue  of  providing  a  telecommunications 


 service.  4  The  section  222  framework  calibrates  the  protection  of  such  information  from  disclosure  and  dissemination  based  on  the  sensitivity  of  the  information.  Thus,  section  222  places  fewer  restrictions  on 
 the  dissemination  of  information  that  is  not  highly  sensitive  and  on  information  the  customer  authorizes  to  be  released,  than  on  the  dissemination  of  more  sensitive  information  the  carrier  has  gathered  about 
 particular  customers.  5  Congress  accorded  CPNI,  the  category  of  customer  information  at  issue  in  this  Notice,  the  greatest  level  of  protection  under  this  framework. 


 3.  CPNI  is  defined  as  “(  A)  information  that  relates  to  the  quantity,  technical  configuration,  type, 
 (...  continued  from  previous  page)  Rulemaking,  13  FCC  Rcd  8061,  8068-  70,  para.  7  (1998)  (CPNI  Order)  (describing  the  Commission’s  privacy 
 protections  for  confidential  customer  information  in  place  prior  to  the  1996  Act).  3 
 Petition  of  the  Electronic  Privacy  Information  Center  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer  Proprietary  Network  Information,  CC  Docket  No.  96-  115  (filed  Aug.  30,  2005) 


 (EPIC  Petition).  4 
 Section  222(  a)  imposes  a  general  duty  on  telecommunications  carriers  to  protect  the  confidentiality  of  proprietary  information  –  a  duty  owed  to  other  carriers,  equipment  manufacturers,  and  customers.  47  U.  S.  C. 


 §  222(  a).  Section  222(  b)  states  that  a  carrier  that  receives  or  obtains  proprietary  information  from  other  carriers  in  order  to  provide  a  telecommunications  service  may  only  use  such  information  for  that  purpose  and  may  not  use 
 that  information  for  its  own  marketing  efforts.  47  U.  S.  C.  §  222(  b).  Section  222(  c)  outlines  the  confidentiality  protections  applicable  to  customer  information.  47  U.  S.  C.  §  222(  c).  Section  222(  d)  delineates  certain  exceptions 
 to  the  general  principle  of  confidentiality.  47  U.  S.  C.  §  222(  d).  The  Commission  addressed  the  scope  of  section  222(  e)  in  the  Subscriber  List  Information  Order  and  Order  on  Reconsideration.  Implementation  of  the 
 Telecommunications  Act  of  1996:  Telecommunications  Carriers’  Use  of  Customer  Proprietary  Network  Information  and  Other  Customer  Information,  Implementation  of  the  Local  Competition  Provisions  of  the 
 Telecommunications  Act  of  1996,  Provision  of  Directory  Listing  Information  Under  the  Telecommunications  Act  of  1934,  as  Amended,  CC  Docket  Nos.  96-  115,  96-  98,  and  99-  273,  Third  Report  and  Order,  Second  Order  on 
 Reconsideration,  and  Notice  of  Proposed  Rulemaking,  14  FCC  Rcd  15550  (1999)  (Subscriber  List  Information  Order),  on  reconsideration,  CC  Docket  No.  96-  115,  Memorandum  Opinion  and  Order  on  Reconsideration,  19 
 FCC  Rcd  18439  (2004)  (Order  on  Reconsideration). 
 5  The  Commission’s  previous  orders  in  this  proceeding  have  addressed  three  general  categories  of  customer 
 information  to  which  different  privacy  protections  and  carrier  obligations  apply  pursuant  to  section  222:  (1)  individually  identifiable  CPNI,  (2)  aggregate  customer  information,  and  (3)  subscriber  list  information.  See,  e.  g., 


 CPNI  Order;  Order  on  Reconsideration  and  Petitions  for  Forbearance,  14  FCC  Rcd  14409  (1999);  Clarification  Order  and  Second  Further  Notice  of  Proposed  Rulemaking,  16  FCC  Rcd  16506  (2001);  Third  Report  and  Order, 
 17  FCC  Rcd  14860  (2002). 
2
 Federal  Communications  Commission  FCC  06-  10 
 3 
 destination,  location,  and  amount  of  use  of  a  telecommunications  service  subscribed  to  by  any  customer  of  a  telecommunications  carrier,  and  that  is  made  available  to  the  carrier  by  the  customer  solely  by  virtue 
 of  the  carrier-  customer  relationship;  and  (B)  information  contained  in  the  bills  pertaining  to  telephone  exchange  service  or  telephone  toll  service  received  by  a  customer  of  a  carrier.”  6  Practically  speaking, 
 CPNI  includes  information  such  as  the  phone  numbers  called  by  a  consumer;  the  frequency,  duration,  and  timing  of  such  calls;  and  any  services  purchased  by  the  consumer,  such  as  call  waiting.  CPNI  therefore 
 includes  highly-  sensitive  personal  information. 
 4.  Section  222  reflects  the  balance  Congress  sought  to  achieve  between  giving  each  customer  ready  access  to  his  or  her  own  CPNI,  and  protecting  customers  from  unauthorized  use  or  disclosure  of 


 CPNI.  Every  telecommunications  carrier  has  a  general  duty  pursuant  to  section  222(  a)  to  protect  the  confidentiality  of  CPNI.  7  In  addition,  section  222(  c)(  1)  provides  that  a  carrier  may  only  use,  disclose,  or 
 permit  access  to  customers’  CPNI  in  limited  circumstances:  (1)  as  required  by  law;  (2)  with  the  customer’s  approval;  or  (3)  in  its  provision  of  the  telecommunications  service  from  which  such 
 information  is  derived,  or  services  necessary  to  or  used  in  the  provision  of  such  telecommunications  service.  8  Section  222  also  guarantees  that  customers  have  a  right  to  obtain  access  to,  and  compel 
 disclosure  of,  their  own  CPNI.  9  Specifically,  pursuant  to  section  222(  c)(  2),  every  telecommunications  carrier  must  disclose  CPNI  “upon  affirmative  written  request  by  the  customer,  to  any  person  designated 
 by  the  customer.”  10 
 5.  Existing  Safeguards.  On  February  26,  1998,  the  Commission  released  the  CPNI  Order  in  which  it  adopted  a  comprehensive  set  of  rules  implementing  section  222.  11  The  Commission’s  CPNI 


 rules  have  been  amended  from  time  to  time  since  the  CPNI  Order,  primarily  in  respects  that  do  not  directly  impact  this  Notice.  Here,  we  focus  on  the  substance  of  the  Commission’s  rules  most  relevant  to 
 this  Notice,  and  briefly  review  the  history  of  the  creation  of  those  rules  only  to  the  extent  necessary  to  prevent  confusion  regarding  their  substance.  12 


 6.  In  the  CPNI  Order  and  subsequent  orders,  the  Commission  promulgated  rules  implementing  the  express  statutory  obligations  of  section  222.  Included  among  the  Commission’s  CPNI  regulations 
 implementing  the  express  statutory  obligations  of  section  222  are  requirements  outlining  the  extent  to  which  section  222  permits  carriers  to  use  CPNI  to  render  the  telecommunications  service  from  which  the 
 CPNI  was  derived.  13  Beyond  such  use,  the  Commission’s  rules  require  carriers  to  obtain  a  customer’s 


 6  47  U.  S.  C.  §  222(  h)(  1). 
 7  47  U.  S.  C.  §  222(  a). 
 8  47  U.  S.  C.  §  222(  c)(  1).  Subsequent  to  the  adoption  of  section  222(  c)(  1),  Congress  added  section  222(  f).  Section 
 222(  f)  provides  that  for  purposes  of  section  222(  c)(  1),  without  the  “express  prior  authorization”  of  the  customer,  a  customer  shall  not  be  considered  to  have  approved  the  use  or  disclosure  of  or  access  to  (1)  call  location 


 information  concerning  the  user  of  a  commercial  mobile  service  or  (2)  automatic  crash  notification  information  of  any  person  other  than  for  use  in  the  operation  of  an  automatic  crash  notification  system.  47  U.  S.  C.  §  222(  f). 


 9  See  CPNI  Order,  13  FCC  Rcd  at  8101-  02,  para.  53. 
 10  47  U.  S.  C.  §  222(  c)(  2). 
 11  CPNI  Order,  13  FCC  Rcd  8061. 
 12  The  Commission  previously  has  summarized  the  history  of  the  CPNI  proceeding.  Third  Report  and  Order,  17 
 FCC  Rcd  at  14863-  72,  paras.  5-  25.  13 
 As  the  Commission  discussed  in  the  CPNI  Order,  “the  language  of  section  222(  c)(  1)(  A)  and  (B)  reflects  Congress’  judgment  that  customer  approval  for  carriers  to  use,  disclose,  and  permit  access  to  CPNI  can  be  inferred 


 in  the  context  of  an  existing  customer-  carrier  relationship.  This  is  so  because  the  customer  is  aware  that  its  carrier  (continued....) 
3
 Federal  Communications  Commission  FCC  06-  10 
 4 
 knowing  consent  before  using  or  disclosing  CPNI.  As  most  relevant  to  this  Notice,  under  the  Commission’s  existing  rules,  telecommunications  carriers  must  receive  opt-  in  (affirmative)  consent 
 before  disclosing  CPNI  to  third  parties  or  affiliates  that  do  not  provide  communications-  related  services.  14  Consistent  with  section  222(  c)(  2),  the  Commission’s  rules  recognize  that  a  carrier  must  comply  with  the 
 express  desire  of  a  customer  seeking  the  disclosure  of  his  or  her  CPNI.  15 
 7.  In  addition  to  adopting  restrictions  on  the  use  and  disclosure  of  CPNI,  the  Commission  in  the  CPNI  Order  also  adopted  a  set  of  rules  designed  to  ensure  that  telecommunications  carriers  establish 


 effective  safeguards  to  protect  against  unauthorized  use  or  disclosure  of  CPNI.  16  Among  these  safeguards  are  rules  that  require  carriers  to  design  their  customer  service  records  in  such  a  way  that  the  status  of  a 
 customer’s  CPNI  approval  can  be  clearly  established.  17  The  Commission  also  requires  telecommunications  carriers  to  train  their  personnel  as  to  when  they  are  and  are  not  authorized  to  use 
 CPNI,  and  requires  carriers  to  have  an  express  disciplinary  process  in  place.  18  The  Commission’s  safeguard  rules  also  require  carriers  to  maintain  records  that  track  access  to  customer  CPNI  records. 
 Specifically,  section  64.2009(  c)  of  the  Commission’s  rules  requires  carriers  to  “maintain  a  record  of  all  instances  where  CPNI  was  disclosed  or  provided  to  third  parties,  or  where  third  parties  were  allowed 
 access  to  CPNI,”  and  to  maintain  such  records  for  a  period  of  at  least  one  year.  19  The  Commission’s  safeguard  rules  also  require  the  establishment  of  a  supervisory  review  process  for  outbound  marketing 
 campaigns.  20  Finally,  the  Commission  requires  each  carrier  to  certify  annually  regarding  its  compliance  with  the  carrier’s  CPNI  requirements  and  to  make  this  certification  publicly  available.  21 


 (...  continued  from  previous  page)  has  access  to  CPNI,  and,  through  subscription  to  the  carrier’s  service,  has  implicitly  approved  the  carrier’s  use  of 
 CPNI  within  that  existing  relationship.”  CPNI  Order,  13  FCC  Rcd  at  8080,  para.  23  (introducing  the  “total  service  approach”  to  defining  the  boundaries  of  a  customer’s  implied  consent  concerning  use  of  CPNI);  see  also  47  C.  F.  R. 
 §  64.  2005(  a).  14 
 Except  as  required  by  law,  carriers  may  not  disclose  CPNI  to  third  parties  or  their  own  affiliates  that  do  not  provide  communications-  related  services  unless  the  consumer  has  given  “opt  in”  consent,  which  is  express  written, 


 oral,  or  electronic  consent.  47  C.  F.  R.  §§  64.  2005(  b),  64.  2007(  b)(  3);  64.  2008(  e);  see  also  47  C.  F.  R.  §  64.  2003(  h)  (defining  “opt-  in  approval”).  Under  the  Commission’s  current  rules,  carriers  must  receive  a  customer’s  opt-  out 
 approval  before  intra-  company  use  of  CPNI  beyond  the  total  service  approach,  and  before  disclosing  CPNI  to  affiliates  and  joint  venture  partners  that  provide  communications-  related  services.  47  U.  S.  C.  §  64.  2005(  a),  (b);  see 
 also  47  C.  F.  R.  §  64.  2005(  b)(  1).  A  customer  is  deemed  to  have  provided  “opt-  out  approval”  if  that  customer  has  been  given  appropriate  notification  of  the  carrier’s  request  for  consent  consistent  with  the  Commission’s  rules  and 
 the  subscriber  has  failed  to  object  to  such  use  or  disclosure  within  the  waiting  period  described  in  section  64.  2008(  d)(  1)  of  the  Commission’s  rules,  a  minimum  of  30  days.  47  C.  F.  R.  §  64.  2003(  i);  see  also  47  C.  F.  R.  § 
 64.  2008(  d)(  1).  15 
 47  U.  S.  C.  §  222(  c)(  2);  see  also,  e.  g.,  CPNI  Order,  13  FCC  Rcd  at  8101-  02,  para.  53;  47  C.  F.  R.  §  2005(  b)(  3)  (prohibiting  the  disclosure  of  CPNI  without  opt-  in  consent  except  as  permitted  by  section  222  of  the  Act  or  the 


 Commission’s  rules);  Arizona  Corporation  Commission  Petition  for  Clarification  and/  or  Reconsideration  (filed  Oct.  21,  2002). 
 16  CPNI  Order,  13  FCC  Rcd  at  8195,  para.  193. 
 17  47  C.  F.  R.  §  64.  2009(  a);  see  also  CPNI  Order,  13  FCC  Rcd  at  8198,  para.  198. 
 18  47  C.  F.  R.  §  64.  2009(  b);  see  also  CPNI  Order,  13  FCC  Rcd  at  8198,  para.  198. 
 19  47  C.  F.  R.  §  64.  2009(  c);  see  also  CPNI  Order,  13  FCC  Rcd  at  8198-  99,  para.  199. 
 20  47  C.  F.  R.  §  64.  2009(  d);  see  also  CPNI  Order,  13  FCC  Rcd  at  8199,  para.  200. 
 21  47  C.  F.  R.  §  64.  2009(  3);  see  also  CPNI  Reconsideration  Order,  14  FCC  Rcd  14409,  14468  n.  331  (1999) 
 (clarifying  that  carriers  must  “make  these  certifications  available  for  public  inspection,  copying  and/  or  printing  at  any  time  during  regular  business  hours  at  a  centrally  located  business  office  of  the  carrier”).  The  Commission’s 


 (continued....) 
4
 Federal  Communications  Commission  FCC  06-  10 
 5 
 8.  EPIC  Petition.  On  August  30,  2005,  EPIC  filed  with  the  Commission  the  petition  under  consideration  in  this  proceeding.  EPIC  petitions  the  Commission  to  investigate  telecommunications 
 carriers’  current  security  practices  and  to  initiate  a  rulemaking  proceeding  to  consider  establishing  more  stringent  security  standards  for  telecommunications  carriers  to  govern  the  disclosure  of  CPNI.  On 
 September  29,  2005,  the  Commission  issued  a  public  notice  seeking  comment  on  EPIC’s  petition.  22  The  Commission  received  comments  and  reply  comments  and  ex  parte  submissions  from  several 
 telecommunications  carriers,  CTIA  (a  trade  group  representing  wireless  carriers),  and  from  numerous  concerned  citizens.  23 


 III.  DISCUSSION 
 9.  In  this  Notice,  we  request  comment  on  the  issues  raised  by  EPIC.  As  noted  above,  EPIC  alleges  that  the  Commission’s  CPNI  regulations  are  insufficient  to  prevent  the  unauthorized  disclosure  of 


 CPNI.  24  EPIC  asks  the  Commission  to  initiate  a  rulemaking  proceeding  to  investigate  what  security  measures  telecommunications  carriers  currently  have  in  place  for  verifying  the  identity  of  people 
 requesting  CPNI;  what  inadequacies  currently  exist  in  those  measures  that  allow  third  parties  such  as  online  data  brokers  and  private  investigators  to  access  CPNI  without  the  customer’s  knowledge  or 
 authorization;  and  what  kind  of  security  measures  are  warranted  to  better  protect  telecommunications  customers  from  unauthorized  access  to  CPNI.  25 


 10.  EPIC  has  supplied  information  to  the  Commission  to  support  its  contention  that  numerous  online  data  brokers  and  private  investigators  widely  advertise  their  ability  to  obtain  CPNI  without  the 
 account  holder’s  knowledge  and  consent.  26  Specifically,  EPIC  alleges  that  some  data  brokers  offer  services  to  retrieve  telephone  call  records,  sometimes  requiring  only  the  telephone  number  associated 
 with  the  requested  CPNI.  27  EPIC  further  alleges  that  such  data  brokers  sometimes  offer  to  obtain  this  personal  information  in  as  little  as  several  hours.  28  EPIC  does  not  claim  it  knows  specifically  how  these 


 (...  continued  from  previous  page)  rules  also  require  carriers  to  notify  the  Commission  in  writing  within  five  business  days  of  any  instance  in  which  the 
 opt-  out  mechanisms  did  not  work  properly,  to  such  a  degree  that  consumers’  inability  to  opt-  out  is  more  than  an  anomaly.  47  C.  F.  R.  §  64.  2009(  f);  see  Third  Report  and  Order,  17  FCC  Rcd  at  14910-  11,  paras.  114-  15  (adopting 
 such  requirement).  22 
 Consumer  &  Governmental  Affairs  Bureau,  Reference  Information  Center,  Petition  for  Rulemakings  Filed,  RM-11277,  Public  Notice  (CGB  Sept.  29,  2005),  available  at  <http://  hraunfoss.  fcc.  gov/  edocs_  public/  attachmatch/  DOC-261315A1. 


 pdf>.  23 
 The  list  of  parties  who  filed  comments  or  reply  comments  in  response  to  the  September  29,  2005  Public  Notice  is  set  forth  in  Appendix  A.  Appendix  A  also  lists  66  individual  consumers  who  filed  ex  parte  comments  through  the 


 Commission’s  Electronic  Comment  Filing  System.  24 
 EPIC  Petition  at  1;  see  also  Verizon  Wireless  Comments  at  2.  25 
 EPIC  Petition  at  10.  26 
 See,  e.  g.,  EPIC  Petition,  Appendix  C  (providing  a  list  of  40  web  sites  offering  to  sell  CPNI  to  third  parties);  see  also  EPIC  Reply  at  1  (“  The  prevalence  of  phone  record  advertisements,  and  the  apparent  ease  with  which  these 


 companies  could  obtain  records  from  carriers,  made  it  clear  that  carriers’  practices  are  to  some  extent  responsible  for  these  security  problems.”);  EPIC  FTC  Complaint  at  4-  5  (listing  several  web  sites  that  offer  to  the  general  public 
 third  party  call  detail  records,  cell  phone  location  information,  and  other  information).  Verizon  Wireless  notes  in  its  comments  that  it  is  not  aware  of  how  a  “social  engineer”  could  have  access  to  location  tracking  information  because 
 this  information  is  not  available  to  customer  service  representatives.  See  Verizon  Wireless  Comments  at  3  n.  6.  27 
 EPIC  Petition  at  5-  6.  28 
 See  id. 
5
 Federal  Communications  Commission  FCC  06-  10 
 6 
 online  data  brokers  and  private  investigators  are  obtaining  unauthorized  access  to  CPNI.  29  EPIC  suggests  that  “[  d]  ata  brokers  and  private  investigators  are  taking  advantage  of  inadequate  security  through 
 pretexting,  the  practice  of  pretending  to  have  authority  to  access  protected  records;  through  cracking  consumers’  online  accounts  with  communications  carriers;  and  possibly  through  dishonest  insiders  at  the 
 carriers.”  30  EPIC  suggests  that  unauthorized  third  parties  are  exploiting  existing  security  standards  and  states  that  “[  t]  elecommunications  carriers  are  not  responsible  for  actively  disseminating  information  to 
 unauthorized  third  parties.”  31  While  not  all  commenters  agree  that  the  Commission  should  initiate  the  present  rulemaking  proceeding,  none  of  the  commenters  dispute  that  EPIC  has  identified  a  problem  that 
 needs  to  be  addressed  in  some  manner.  One  carrier  comments  that  “EPIC’s  Petition  rightly  points  out  a  growing  problem  which  the  Commission  should  address.”  32 


 11.  Pursuant  to  our  authority  under  section  222  of  the  Act,  we  seek  comment  on  the  nature  and  scope  of  the  problem  identified  by  EPIC.  33  Further,  we  seek  comment  on  whether  such  intervention  will 
 adequately  remedy  the  identified  problem.  Data  brokers  typically  do  not  explain  on  their  websites  how  they  obtain  the  CPNI  that  they  market  and  sell.  Thus,  we  seek  comment  generally  on  how  CPNI  is 
 maintained  and  secured  by  carriers  and  how  data  brokers  are  able  to  obtain  CPNI  from  carriers.  Specifically,  how  is  CPNI  being  made  available  to  unauthorized  third  parties?  Who  is  able  to  obtain 
 unauthorized  access  to  CPNI,  and  for  what  range  of  purposes?  To  the  extent  third  parties  are  able  to  obtain  unauthorized  access  to  CPNI,  what  are  the  methods  by  which  they  obtain  such  access?  Is  such 
 access  primarily  through  “pretexting,”  which  we  understand  in  this  context  to  be  a  person  falsely  representing  to  a  telecommunications  carrier  that  he  or  she  is  a  company  employee  or  a  particular 


 29  See  EPIC  Petition  at  6  (stating  that  “online  private  investigators  do  not  reveal  how  they  actually  obtain  this 
 information.  However,  EPIC  is  aware  of  no  legal  way  to  reliably  and  quickly  obtain  call  detail  information.”).  30 
 EPIC  Petition  at  1.  Both  Verizon  Wireless  and  Cingular  have  filed  civil  lawsuits  seeking  to  prevent  third  parties  from  obtaining  unauthorized  access  to  CPNI.  See,  e.  g.,  Cellco  Partnership  d/  b/  a/  Verizon  Wireless  v.  Source 


 Resources,  Permanent  Injunction  on  Consent,  Docket  No.  SOM-  L-  1013-  05  (Sup.  Ct.  of  N.  J.;  Law  Div.:  Somerset  County,  Sept.  13,  2005);  see  also  Complaint  of  Cingular  in  Cingular  Wireless  LLC  v.  Data  Find  Solutions,  Inc., 
 James  Kester,  1st  Source  Information  Specialists,  Inc.,  Kenneth  W.  Gorman,  Steven  Schwartz,  John  Does  1-  100,  and  XYZ  Corps.  1-  100,  Docket  No.  1  05-  CV  3269-  CC  (D.  N.  D.  Ga.  filed  Dec.  23,  2005)  (Cingular  Petition);  see 
 also  Verizon  Wireless  Comments  at  3  (stating  that  Verizon  Wireless  is  pursuing  similar  actions  against  other  parties).  Cingular’s  petition  suggests  that  it  believes  EPIC  correctly  has  identified  at  least  some  of  the  means  third 
 parties  are  using  to  obtain  unauthorized  access  to  CPNI.  See,  e.  g.,  Cingular  Petition  at  2-  3  (alleging  that  defendants  have  wrongfully  obtained  CPNI  through  “‘  social  engineering,  ’  improper  hacking,  and/  or  unauthorized  access  to 
 online  account  information  stored  in  Cingular’s  computer  network”).  31 
 EPIC  Petition  at  5-  6.  32 
 Verizon  Comments  at  1  (urging  the  Commission  not  to  initiate  the  present  Notice  but  instead  to  work  with  the  FTC  on  ways  to  track  and  combat  actions  by  those  persons  that  unlawfully  obtain  and  sell  CPNI).  Verizon  Wireless 


 reports  that  unauthorized  persons  attempt  to  obtain  confidential  customer  information  by  misrepresenting  their  identities  to  customer  service  personnel  several  times  a  day.  See  Verizon  Wireless  Comments  at  3  (noting  that  such 
 “individuals,  who  advertise  freely  on  the  Internet,  either  pose  as  Verizon  Wireless  customers  or  employees  seeking  information  on  their  accounts,  or  they  claim  that  they  are  attempting  to  obtain  the  information  on  behalf  of  the 
 customer.  They  employ  a  variety  of  different  tactics  to  obtain  information  about  a  customer’s  mobile  number,  address,  call  detail,  and  copies  of  bills.”);  see  also  EPIC  Reply  at  7-  8. 
 33  We  are  sensitive  to  commenters’  concerns  that  this  proceeding  not  inadvertently  undermine  the  protections 
 telecommunications  carriers  currently  have  in  place  to  guard  against  unauthorized  access  to,  and  unauthorized  disclosure  of,  CPNI.  See,  e.  g.,  Verizon  Comments  at  1;  Verizon  Wireless  Comments  at  4.  Nevertheless,  we  believe 


 that  a  comprehensive  record  can  be  developed  in  response  to  this  Notice  without  undermining  carriers’  existing  CPNI  safeguards  and  urge  commenters  to  be  mindful  of  these  considerations  when  providing  information  in 
 response  to  this  Notice.  Commenters  desiring  confidential  treatment  of  their  submissions  should  request  that  their  submission,  or  a  specific  part  thereof,  be  withheld  from  public  inspection.  47  C.  F.  R.  §  0.459. 
6
 Federal  Communications  Commission  FCC  06-  10 
 7 
 customer  who  seeks  access  to  his  or  her  own  CPNI?  34  What  other  methods,  if  any,  are  third  parties  using  to  obtain  unauthorized  access  to  CPNI?  Is  there  any  evidence  that  third  parties  are  “hacking”  or 
 otherwise  obtaining  unauthorized  access  to  consumers’  online  accounts  with  communications  carriers?  If  so,  is  there  any  evidence  that  such  occurrences  are  widespread?  Is  there  any  evidence  that  dishonest 
 insiders  at  the  carriers  are  providing  third  parties  with  unauthorized  access  to  CPNI?  Is  there  any  evidence  to  show  that  the  problems  identified  by  EPIC  are  better  or  worse  at  smaller  carriers?  What  other 
 evidence  is  relevant  to  the  nature  and  scope  of  the  unauthorized  disclosure  of  CPNI  to  third  parties? 
 12.  We  also  seek  comment  on  whether  our  existing  opt-  out  regime  sufficiently  protects  the  privacy  of  CPNI  in  the  context  of  CPNI  disclosed  to  telecommunications  carriers’  joint  venture  partners 


 and  independent  contractors.  Specifically,  we  seek  comment  on  whether  there  is  a  greater  possibility  of  dissemination  of  customers’  private  information  in  this  situation,  and  whether  the  Commission  should 
 instead  require  carriers  to  obtain  opt-  in  consent  from  a  customer  before  disclosing  that  customer’s  CPNI  to  the  carrier’s  joint  venture  partners  or  independent  contractors  that  provide  communications-  related 
 services.  35  Would  this  change  in  the  Commission’s  regulations  better  protect  customer  privacy  notwithstanding  the  Commission’s  current  safeguards  applicable  to  the  release  of  CPNI  to  carriers’ 
 partners  and  independent  contractors?  36  What  are  the  costs  to  telecommunications  carriers,  consumers  and  other  parties  of  such  a  change?  Would  the  consumer  benefits  of  such  a  change  outweigh  the  costs? 


 13.  We  also  seek  comment  on  carriers’  current  practices  regarding  the  disclosure  of  CPNI  and  whether  they  are  sufficient.  What  steps  do  carriers  take  to  verify  that  a  person  seeking  access  to  CPNI  is 
 the  customer  or  employee  he  or  she  purports  to  be?  For  instance,  do  telecommunications  carriers  have  heightened  verification  requirements  if  a  purported  customer  contacts  the  carrier  seeking  CPNI  from  a 
 telephone  number  other  than  the  number  assigned  to  that  customer?  When  a  carrier  discloses  CPNI  to  a  person  it  believes  to  be  a  customer,  how  does  that  carrier  transmit  the  CPNI  to  the  customer?  Do  carriers 
 provide  customers  with  CPNI  over  the  telephone,  by  regular  mail,  by  e-  mail,  or  by  fax?  Should  there  be  any  limitations  on  the  transmission  of  CPNI?  What  is  the  impact  of  section  222(  c)(  2)  on  this  issue,  which 
 requires  carriers  to  disclose  CPNI  to  any  person  designated  by  the  customer  upon  the  affirmative  written  consent  of  the  customer?  37  Do  carriers  take  any  routine  confirmatory  steps  after  disclosing  CPNI  to  a 
 person  they  believe  to  be  a  customer?  For  instance,  do  carriers  contact  the  customer  through  a  means  that  is  highly  likely  to  reach  the  real  customer  to  confirm  for  that  customer  that  his  or  her  CPNI  has  been 
 disclosed,  such  as  by  notifying  the  customer  of  such  disclosure  at  his  or  her  assigned  telephone  number  and/  or  via  regular  mail  at  that  customer’s  home  address?  As  a  general  matter,  are  the  Commission’s 
 existing  regulatory  safeguards  to  protect  the  privacy  of  CPNI  adequate?  If  not,  what  specific  rule  changes 


 34  Some  commenters  alternatively  refer  to  this  practice  as  “social  engineering.”  See,  e.  g.,  Verizon  Wireless 
 Comments  at  3  n.  6.  CTIA  claimed  in  testimony  before  Congress  that  “[  o]  verwhelmingly,  the  vast  majority  of  cell  phone  records  are  being  fraudulently  obtained  through  the  use  of  ‘pretexting.  ’”  See  Letter  from  Paul  Garnett  to 


 Marlene  H.  Dortch,  Secretary,  FCC,  CC  Docket  No.  96-  115  Attach.  at  2  (filed  Feb.  2,  2006)  (CTIA  Feb.  2  Ex  Parte  Letter). 
 35  Under  the  Commission’s  existing  rules,  carriers  may  not  disclose  CPNI  to  such  third  parties  or  their  own 
 affiliates  that  do  not  provide  communications-  related  services  unless  the  consumer  has  given  “opt  in”  consent.  See  47  C.  F.  R.  §§  64.  2005(  b),  64.  2007(  b)(  3);  64.  2008(  e).  However,  telecommunications  carriers  are  permitted  to 


 disclose  CPNI  to  their  joint  venture  partners  and  independent  contractors  that  provide  communications-  related  services  after  obtaining  a  customer’s  “opt-  out”  consent.  47  C.  F.  R.  §§  64.  2005(  b),  64.  2007(  b)(  1).  Such  disclosure  is 
 subject  to  joint  venture/  contractor  safeguards  that  require  the  telecommunications  carrier  to  enter  into  confidentiality  agreements  with  independent  contractors  or  joint  venture  partners  that  protect  the  confidentiality  of  a  customer’s 
 CPNI.  See  47  C.  F.  R.  §  64.  2007(  b)(  2).  36 
 See  47  C.  F.  R.  §  64.  2007(  b)(  2);  see  also  47  U.  S.  C.  §  217.  37 
 47  U.  S.  C.  §  222(  c)(  2). 
7
 Federal  Communications  Commission  FCC  06-  10 
 8 
 are  needed  to  identify  and  solve  the  concerns  raised  by  EPIC?  What  other  practices  regarding  the  disclosure  of  CPNI  are  relevant  to  this  Notice? 
 14.  EPIC  proposes  that  we  consider  requiring  carriers  to  institute  certain  security  measures  to  more  adequately  protect  CPNI.  In  particular,  EPIC  proposes  five  forms  of  security  measures  that  it 
 maintains  would  more  adequately  protect  access  to  CPNI:  consumer-  set  passwords,  audit  trails,  encryption,  limiting  data  retention,  and  notice  procedures.  We  seek  comment  about  the  feasibility  and 
 advisability  of  these  and  other  measures. 
 15.  Consumer-  set  passwords.  EPIC  maintains  that  data  brokers  use  the  Internet  to  obtain  common  biographical  data  such  as  a  person’s  date  of  birth,  mother’s  maiden  name,  or  social  security 


 number.  38  According  to  EPIC,  these  and  similar  “biographical  identifiers”  are  readily  available  through  public  records  and  online  databases,  and  may  easily  be  used  to  falsely  authenticate  a  request  for  CPNI.  39 
 EPIC  argues  that  a  consumer-  set  password,  chosen  by  the  account  holder  at  the  time  of  phone  activation,  would  greatly  increase  the  security  of  CPNI.  40  Some  commenters  acknowledge  that  customer-  set 
 passwords  can  increase  the  security  of  CPNI,  and  state  that  customers  already  have  the  option  of  adding  a  password  or  code  to  their  accounts.  41  Commenters  also  see  disadvantages  to  relying  on  passwords  to 
 protect  CPNI.  Verizon  and  Verizon  Wireless  report  that  some  customers  dislike  passwords,  and  that  password  systems  hamper  the  transaction  of  legitimate  business.  42  CTIA  notes  that  password  systems 
 invite  fraudulent  requests  for  “lost”  passwords.  43  EPIC  agrees  that  certain  password  procedures  are  easy  for  online  data  brokers  to  circumvent,  but  argues  that  techniques  such  as  a  “shared  secret”  (e.  g.,  what  was 
 the  name  of  your  first  pet?)  can  protect  customers  from  fraudulent  password  manipulation.  44 
 16.  We  solicit  comment  on  the  advisability  of  requiring  carriers  to  adopt  a  consumer-  set  password  system  to  protect  access  to  CPNI.  Would  requiring  the  use  of  passwords  materially  increase  the 


 security  of  CPNI?  Would  such  a  requirement  intrude  on  the  preference  of  some  customers  not  to  have  to  remember  a  password?  Does  the  customer’s  ability  to  change  a  password  play  into  the  hands  of  online 
 data  brokers,  and,  if  so,  how  can  this  danger  be  minimized?  Should  the  Commission  require  telecommunications  carriers  to  notify  customers  if  their  password  is  changed?  If  so,  should  such 
 notification  be  made  by  letter,  e-  mail,  text  message,  voice-  mail  message,  or  some  other  specific  means?  Should  small  carriers  be  exempt  from  password-  related  security  procedures  we  might  require  of  large 
 carriers? 
 17.  Audit  trails.  EPIC  suggests  that  we  require  carriers  to  record  all  instances  when  a  customer’s  records  have  been  accessed,  whether  information  was  disclosed,  and  to  whom.  45  According  to  EPIC, 


 maintaining  an  audit  trail  would  deter  company  insiders  from  selling  information,  and  could  help  carriers  identify  and  investigate  security  breaches.  46  EPIC  points  out  that  our  rules  already  require  carriers  to 
 record  any  CPNI  disclosure  for  use  in  marketing  or  to  third  parties,  and  suggests  that  we  extend  the 
 38  EPIC  Petition  at  8. 
 39  EPIC  Petition  at  8,  11. 
 40  EPIC  Petition  at  11. 
 41  Verizon  Wireless  Comments  at  7;  CTIA  Comments  at  11-  12. 
 42  Verizon  Comments  at  3-  4;  Verizon  Wireless  Comments  at  6-  7. 
 43  CTIA  Comments  at  18. 
 44  EPIC  Reply  Comments  at  5. 
 45  EPIC  Petition  at  11. 
 46  EPIC  Reply  Comments  at  7. 
8
 Federal  Communications  Commission  FCC  06-  10 
 9 
 requirement  to  include  disclosure  of  CPNI  to  account  holders.  47  BellSouth  asserts  that  maintaining  such  an  audit  trail  could  be  unreasonably  costly.  48  Other  commenters  express  uncertainty  whether  such  a  rule 
 would  in  fact  alter  carriers’  existing  practices.  49 
 18.  We  ask  carriers  to  review  the  requirements  of  our  rule  64.2009(  c),  and  to  assess  the  benefits  and  burdens  of  similarly  recording  disclosure  of  CPNI  to  the  customer  account  holder.  Do  most  carriers 


 routinely  log  disclosure  of  CPNI  to  subscribers  as  well  as  to  third  parties?  We  ask  commenters  to  assess  the  benefits  and  burdens  of  this  requirement,  including  on  small  telecommunications  carriers. 


 19.  Encryption.  EPIC  suggests  that  data  stored  by  the  carrier  should  be  encrypted.  50  Commenters  respond  that  data  is  already  encrypted  where  appropriate,  as  when  a  customer  uses  the 
 Internet  to  order  service  or  to  view  call  records,  and  that  encrypting  stored  records  would  increase  costs  and  slow  legitimate  inquiries  without  offering  significant  benefits  in  return.  51  In  particular,  commenters 
 regard  encryption  as  responsive  to  security  problems  that  are  essentially  unrelated  to  protecting  against  inappropriate  disclosure  of  CPNI.  52  We  invite  commenters  to  discuss  whether  encrypting  stored  CPNI 
 data  would  be  useful,  and  to  weigh  the  costs  and  benefits  of  encryption.  Does  evidence  suggest  that  CPNI  records  have  been  fraudulently  accessed  directly  from  databases  without  going  through  a  carrier’s 
 personnel  or  on-  line  customer  access  site?  Would  requiring  encryption  place  an  undue  burden  on  small  carriers? 


 20.  Limiting  data  retention.  EPIC  suggests  that  call  records  should  be  deleted  when  they  are  no  longer  needed  for  billing  or  dispute  purposes.  53  As  an  alternative,  EPIC  suggests  that  carriers  should 
 “deidentify”  records,  that  is,  separate  data  that  identify  a  particular  caller  from  the  general  transaction  records.  54  Commenters  respond  that  they  hesitate  to  destroy  or  remove  identification  data  from  records 
 that  could  become  subject  to  dispute,  and  that  destroying  records  might  conflict  with  our  Part  42  record-keeping  requirements.  55  Commenters  also  observe  that  destruction  of  records  is  not  mandated  by  law,  and 


 47  EPIC  Reply  Comments  at  7;  see  47  C.  F.  R.  §  64.  2009(  c): 
 All  carriers  shall  maintain  a  record,  electronically  or  in  some  other  manner,  of  their  own  and  their  affiliates’  sales  and  marketing  campaigns  that  use  their  customers’  CPNI.  All  carriers 
 shall  maintain  a  record  of  all  instances  where  CPNI  was  disclosed  or  provided  to  third  parties,  or  where  third  parties  were  allowed  access  to  CPNI.  The  record  must  include  a  description  of 
 each  campaign,  the  specific  CPNI  that  was  used  in  the  campaign,  and  what  products  and  services  were  offered  as  a  part  of  the  campaign.  Carriers  shall  retain  the  record  for  a  minimum 
 of  one  year.  48 
 BellSouth  Comments  at  5-  6.  49 
 Verizon  Comments  at  4;  Verizon  Wireless  Comments  at  7  (stating  that  Verizon  Wireless  already  records  (1)  all  instances  when  a  customer’s  record  is  accessed,  (2)  the  subject  of  the  discussion,  and  (3)  whether  information  was 


 disclosed  to  the  customer);  CTIA  Comments  at  19  (claiming  that  carriers  already  follow  such  procedures);  CTIA  Feb.  2  Ex  Parte  Letter  Attach.  at  6  (“[  W]  hen  call  records  are  accessed,  it  is  logged  in  the  customer  service  database, 
 so  the  carrier  can  see  who  looked  at  what  records.  Further,  CSRs  are  trained  to  annotate  the  customer  record  whenever  an  account  change  or  event  occurs.  A  CSR  will  note  when  a  customer  called  and  asked  for  his  or  her 
 records.”).  50 
 EPIC  Petition  at  11.  51 
 CTIA  Comments  at  11,  19;  Verizon  Wireless  Comments  at  8;  Verizon  Comments  at  2,  4-  5.  52 
 Verizon  Comments  at  2-  3.  53 
 EPIC  Petition  at  11.  54 
 EPIC  Petition  at  11-  12.  55 
 Verizon  Wireless  Comments  at  8-  9;  CTIA  Comments  at  19-  20;  see  47  C.  F.  R.  §§  42.  01-  11. 
9
 Federal  Communications  Commission  FCC  06-  10 
 10 
 question  whether  destroying  old  records  contributes  to  solving  the  underlying  problem  of  making  records  less  susceptible  to  fraudulent  disclosure.  56  We  seek  comment  on  whether  CPNI  records  should  eventually 
 be  deleted,  and,  if  so,  how  long  such  records  should  be  kept.  What  costs  and  benefits  would  result  from  requiring  carriers  to  separate  identifying  data  from  transactional  records?  Would  deleting  CPNI  or 
 removing  personal  identification  conflict  with  other  priorities,  such  as  dispute  resolution  or  law  enforcement? 


 21.  Notice.  EPIC  suggests  that  companies  notify  customers  when  the  security  of  their  CPNI  may  have  been  breached.  57  According  to  EPIC,  such  notification  could  help  the  affected  individual  mitigate 
 any  harm  from  the  security  breach,  and  assure  the  public  that  their  personal  data  are  actually  secure.  58  Verizon  Wireless  responds  that  a  notice  requirement  is  unnecessary  because  customers  are  already 
 routinely  notified  of  any  known  security  breach.  59  Verizon  questions  the  usefulness  of  requiring  carriers  to  notify  customers  of  security  breaches  because,  if  CPNI  is  given  to  someone  posing  as  the  customer,  the 
 carrier  will  not  know  that  a  breach  has  occurred.  60 
 22.  We  invite  commenters  to  consider  the  potential  value  of  notification  as  a  precautionary  measure  before  releasing  CPNI.  For  example,  we  seek  comment  on  whether  carriers  should  be  required 


 to  call  the  customer’s  registered  telephone  number  for  that  account  to  verify  the  customer’s  identity  before  releasing  CPNI  to  that  subscriber.  Should  certain  types  of  requests  trigger  an  advance  notification 
 requirement?  For  example,  should  we  require  carriers  to  take  extra  precaution  to  verify  the  authenticity  of  requests  that  data  be  sent  somewhere  other  than  the  mailing  address  where  the  account  is  registered  or 
 a  known  e-  mail  address,  or  requests  that  originate  from  a  number  other  than  a  telephone  number  listed  on  the  customer’s  account?  Should  requests  for  CPNI  that  carriers  receive  via  the  Internet  receive 
 heightened  scrutiny?  Should  carriers  offer  customers  the  option  of  precautionary  verification  before  releasing  CPNI?  If  so,  should  carriers  offer  this  service  to  customers  on  an  “opt-  in”  or  “opt-  out”  basis?  61 


 23.  We  also  invite  commenters  to  weigh  the  costs  and  benefits  of  routinely  notifying  customers  after  any  release  of  their  CPNI,  including  incidents  where  the  carrier  has  no  grounds  to  suspect  that  the 
 request  is  not  legitimate.  For  example,  should  carriers  include  a  statement  on  or  with  the  customer’s  invoice  when  that  customer’s  CPNI  records  have  been  accessed?  Should  release  of  CPNI  trigger  a 
 voicemail  notification  for  wireless  customers?  If  carriers  offer  customers  the  option  of  receiving  notice  after  the  release  of  CPNI,  should  they  do  so  on  an  “opt  in”  or  “opt  out”  basis?  We  solicit  comment 
 regarding  the  cost  of  notification,  how  costs  might  be  minimized  and  recovered,  and  whether  notification  requirements  should  be  specially  tailored  for  small  companies. 


 24.  Public  response  to  EPIC’s  petition  reflects  concern  that  improper  release  of  CPNI  can  have  dire  consequences  for  customers’  personal  safety.  62  Should  we  require  carriers  to  permit  customers  to  put 
 an  absolute  “no  release”  order  on  their  CPNI,  possibly  subject  to  existing  exceptions  in  section  222(  c)(  1)?  63  Also,  does  the  mobile  and  personal  nature  of  wireless  phones  increase  the  privacy 


 56  CTIA  Comments  at  19-  20. 
 57  EPIC  Petition  at  11. 
 58  EPIC  Petition  at  11. 
 59  Verizon  Wireless  Comments  at  8. 
 60  Verizon  Comments  at  5. 
 61  See  supra  note  14  (defining  “opt-  in”  and  “opt-  out”  approval). 
 62  See,  e.  g.,  Nancy  Curtin,  Electronic  Comment  Filing  System  (filed  Jan.  17,  2006)  (expressing  concern  that,  when  a 
 battered  wife  or  stalker  is  involved,  selling  CPNI  may  put  someone’s  life  at  risk).  63 
 47  U.  S.  C.  §  222(  c)(  1). 
10
 Federal  Communications  Commission  FCC  06-  10 
 11 
 expectations  of  wireless  customers,  and  should  wireless  CPNI  receive  additional  protection?  Should  wireless  subscriber  list  information  be  given  any  special  consideration?  We  seek  comment  regarding 
 whether  carriers  should  accord  special  protection  to  the  CPNI  of  certain  categories  of  telephone  users,  such  as,  for  example,  minors. 


 25.  Other  approaches.  We  encourage  commenters  to  think  broadly  and  creatively  about  how  best  to  guard  against  fraudulent  or  unauthorized  disclosure  of  CPNI.  We  take  seriously  commenters’ 
 concern  that  we  recognize  the  danger  of  “giving  wrongdoers  a  roadmap.”  64  EPIC  agrees  that  carriers  should  avoid  discussing  weaknesses  and  specific  procedures  in  a  public  record.  65  To  the  extent 
 commenters  believe  that  certain  anti-  fraud  tactics  are  better  developed  away  from  public  scrutiny,  we  ask  them  to  describe  steps  they  intend  to  take  privately  to  develop  more  effective  measures  to  secure  CPNI 
 from  unauthorized  disclosure.  For  example,  should  carriers  develop  a  working  group  tasked  with  improving  CPNI  security  procedures?  Are  some  anti-  fraud  measures,  such  as  audit  trails  and  notification 
 procedures,  actually  more  effective  if  their  existence  is  well  publicized?  Are  commenters  aware  of  any  measures  state  regulatory  commissions  may  have  taken  relating  to  CPNI  privacy  and  fraudulent  access  to 
 records?  If  so,  what  can  we  learn  from  their  experience?  Inasmuch  as  commenters  disagree  with  any  of  these  proposals,  we  encourage  them  to  suggest  modifications,  and  to  contribute  new  ideas  of  their  own. 


 26.  Enforcement.  Are  there  any  steps  the  Commission  should  take  to  enhance  its  ability  to  enforce  the  requirements  of  section  222  and  the  Commission’s  regulations  relating  to  CPNI?  66  Is  there  a 
 set  of  security  requirements  that  the  Commission  should  adopt  that  would  exempt  a  carrier  from  liability  or  establish  a  safe  harbor  if  the  carrier  implemented  those  requirements?  67  Likewise,  should  failure  to 
 comply  with  some  minimum  set  of  requirements  form  the  basis  of  a  violation?  What  other  measures  might  enhance  the  Commission’s  ability  to  enforce  its  CPNI  regulations? 


 27.  Reporting  and  Notification.  In  part  because  “CPNI”  is  not  a  term  with  which  most  customers  are  familiar,  we  seek  comment  on  whether  the  notifications  carriers  provide  subscribers  regarding  the  use 
 and  disclosure  of  CPNI  are  written  clearly  enough  so  that  customers  adequately  understand  that  the  notices  concern  the  privacy  of  personal  telephone  records  and  the  scope  of  disclosure  authorized.  We 
 note  that  section  64.  2008(  c)  of  the  Commission’s  rules  requires  that  customer  notifications  be  comprehensible  and  not  be  misleading.  68  We  seek  comment  on  what  changes  to  our  rules,  if  any,  are 
 necessary  to  ensure  that  customers  fully  understand  what  personal  records  telecommunications  carriers  seek  permission  to  use  and/  or  disclose. 


 28.  Should  the  Commission  adopt  any  additional  reporting  requirements  related  to  the  disclosure  of  CPNI?  As  noted  above,  the  Commission’s  existing  rules  require  carriers  to  provide  written  notice 
 within  five  business  days  to  the  Commission  of  any  instance  where  the  opt-  out  mechanisms  do  not  work 
 64  Verizon  Comments  at  1;  Verizon  Wireless  Comments  at  1,  5;  CTIA  Comments  at  2. 
 65  EPIC  Reply  Comments  at  4-  5.  EPIC’s  own  discussion  of  accessing  Cingular  Wireless  CPNI  illustrates  the 
 problem.  See  EPIC  Reply  Comments  at  5.  66 
 Some  commenters  argue  that  the  current  rules  are  sufficient,  claiming  that  “telecommunications  carriers  are  already  subject  to  clear  and  unambiguous  obligations  to  guard  the  confidentiality  of  CPNI  and  to  ensure  that  it  is  not 


 disclosed  to  third  parties  without  customer  approval  or  as  required  by  law.”  See  BellSouth  Comments  at  2.  67 
 Some  commenters  make  the  point  that  “setting  particular  guidelines  on  the  types  of  measures  carriers  must  take  to  protect  CPNI  might  actually  make  the  problem  worse  because  it  would  give  wrongdoers  a  roadmap  of  the 


 information  they  need  in  order  to  obtain  CPNI.”  Verizon  Comments  at  3;  see  also  SBC  Comments  at  2  (arguing  that  mandated  security  measures  would  quickly  become  obsolete  and  that  pretexters  would  “immediately  try  to  figure 
 out  a  way  around  them”);  CTIA  Comments  at  3;  CTIA  Reply  at  3.  68 
 47  C.  F.  R.  §  64.  2008(  c). 
11
 Federal  Communications  Commission  FCC  06-  10 
 12 
 properly  to  such  a  degree  that  consumers’  inability  to  opt-  out  is  more  than  an  anomaly.  69  Should  the  Commission  adopt  a  similar  reporting  requirement  in  cases  of  unauthorized  access  to  or  disclosure  of 
 CPNI?  Should  the  Commission  require  carriers  to  report  all  instances  of  unauthorized  access  to  or  disclosure  of  CPNI?  As  discussed  above,  are  there  any  additional  requirements  the  Commission  should 
 adopt  that  would  help  ensure  that  carriers  are  being  made  aware  of  instances  in  which  they  disclose  or  provide  access  to  CPNI  without  proper  customer  authorization?  Should  any  requirements  the 
 Commission  adopts  in  the  context  of  the  present  rulemaking  extend  to  VoIP  service  providers  or  other  IP-  enabled  service  providers?  70 


 29.  The  Commission’s  current  rules  require  each  telecommunications  carrier  to  have  an  officer,  as  an  agent  of  the  carrier,  sign  a  compliance  certificate  on  an  annual  basis  stating  that  the  officer  has 
 personal  knowledge  that  the  company  has  established  operating  procedures  that  are  adequate  to  ensure  compliance  with  the  Commission’s  CPNI  rules  and  to  make  that  certification  available  to  the  public.  71 
 We  believe  the  lack  of  uniformity  relating  to  certifications  could  be  an  obstacle  to  effective  enforcement  of  our  CPNI  rules.  We  tentatively  conclude  that  the  Commission  should  amend  its  rules  to  require 
 carriers  to  certify  no  later  than  January  1st  (or  other  date  specified  by  the  Commission)  of  each  year,  covering  the  preceding  calendar  year,  and  to  file  the  compliance  certificate  with  the  Commission  within 
 30  days.  Carriers  should  attach  to  this  annual  section  64.2009(  e)  certification  an  explanation  of  any  actions  taken  against  data  brokers  and  a  summary  of  all  consumer  complaints  received  in  the  past  year 
 concerning  the  unauthorized  release  of  CPNI.  We  seek  comment  on  this  proposal.  We  also  seek  comment  on  whether  this  Commission-  filing  requirement  should  only  be  imposed  on  telecommunications 
 carriers  that  are  not  small  telephone  companies  as  defined  by  the  Small  Business  Administration. 
 30.  Commenters  should  assess  the  burdens  as  well  as  the  benefits  of  any  specific  measures  they  urge  the  Commission  to  adopt,  and  address  whether  any  less  burdensome  measures  could  achieve  the 


 same  benefits.  Should  small  telecommunications  carriers  be  subject  to  different  CPNI-  related  obligations  than  large  telecommunications  carriers?  Assuming  that  the  regulatory  obligations  ultimately  should  be 
 identical  among  all  telecommunications  carriers,  should  small  telecommunications  carriers  be  given  a  longer  deadline  to  implement  any  new  requirements  that  are  adopted  in  this  proceeding?  Finally,  are 
 there  any  considerations  other  than  those  raised  above  that  the  Commission  should  take  into  account  as  it  considers  information  submitted  in  response  to  this  Notice? 


 69  47  C.  F.  R.  §  64.  2009(  f);  see  also  supra  note  21. 
 70  The  Commission  has  sought  comment  on  related  issues  in  the  wireline  Internet  broadband  access  services 
 rulemaking  and  the  IP-  Enabled  Services  proceeding  and  may  take  official  notice  of  comments  filed  in  those  dockets.  See  Appropriate  Framework  for  Broadband  Access  to  the  Internet  over  Wireline  Facilities;  Universal  Service 


 Obligations  of  Broadband  Providers;  Review  of  Regulatory  Requirements  for  Incumbent  LEC  Broadband  Telecommunications  Services;  Computer  III  Further  Remand  Proceedings:  Bell  Operating  Company  Provision  of 
 Enhanced  Services;  1998  Biennial  Regulatory  Review  –  Review  of  Computer  III  and  ONA  Safeguards  and  Requirements;  Conditional  Petition  of  the  Verizon  Telephone  Companies  for  Forbearance  under  47  U.  S.  C.  §  160(  c) 
 with  Regard  to  Broadband  Services  Provided  via  Fiber  to  the  Premises;  Petition  of  the  Verizon  Telephone  Companies  for  Declaratory  Ruling  or,  Alternatively,  for  Interim  Waiver  with  Regard  to  Broadband  Services 
 Provided  via  Fiber  to  the  Premises;  Consumer  Protection  in  the  Broadband  Era,  Report  and  Order  and  Notice  of  Proposed  Rulemaking,  CC  Docket  Nos.  01-  337,  02-  33,  95-  20,  98-  10,  WC  Docket  Nos.  04-  242,  05-  271,  FCC  05-  150 
 (rel.  Sept.  23,  2005);  see  also  IP-  Enabled  Services,  Notice  of  Proposed  Rulemaking,  WC  Docket  No.  04-  36,  19  FCC  Rcd.  4863  (2004). 
 71  47  C.  F.  R.  §  64.  2009(  e);  see  also  CPNI  Order,  13  FCC  Rcd  at  8199,  para.  201  (requiring  the  annual  certification 
 to  be  made  publicly  available).  Under  Section  64.  2009(  e),  a  carrier  must  include  with  its  annual  certification  a  statement  explaining  how  its  operating  procedures  ensure  that  it  is  or  is  not  in  compliance  with  the  Commission’s 


 CPNI  rules.  47  C.  F.  R.  §  64.  2009(  e). 
12
 Federal  Communications  Commission  FCC  06-  10 
 13 
 IV.  PROCEDURAL  MATTERS 
 A.  Regulatory  Flexibility 
 31.  As  required  by  the  Regulatory  Flexibility  Act,  5  U.  S.  C.  §  603,  the  Commission  has  prepared  an  Initial  Regulatory  Flexibility  Analysis  (IRFA)  of  the  possible  significant  economic  impact  on  small 


 entities  of  the  policies  and  rules  addressed  in  this  Notice.  The  IRFA  is  set  forth  in  Appendix  B.  Written  public  comments  are  requested  on  the  IRFA.  These  comments  must  be  filed  in  accordance  with  the  same 
 filing  deadlines  as  comments  filed  in  response  to  this  Notice  and  must  have  a  separate  and  distinct  heading  designating  them  as  responses  to  the  IRFA. 


 B.  Paperwork  Reduction  Act 
 32.  This  document  contains  proposed  information  collection  requirements.  The  Commission,  as  part  of  its  continuing  effort  to  reduce  paperwork  burden,  invites  the  general  public  and  the  Office  of 


 Management  and  Budget  (OMB)  to  comment  on  the  information  collection  requirements  contained  in  this  document,  as  required  by  the  Paperwork  Reduction  Act  of  1995,  Public  Law  104-  13.  Public  and  agency 
 comments  are  due  60  days  after  date  of  publication  in  the  Federal  Register.  Comments  should  address:  (a)  whether  the  proposed  collection  of  information  is  necessary  for  the  proper  performance  of  the 
 functions  of  the  Commission,  including  whether  the  information  shall  have  practical  utility;  (b)  the  accuracy  of  the  Commission’s  burden  estimates;  (c)  ways  to  enhance  the  quality,  utility,  and  clarity  of  the 
 information  collected;  and  (d)  ways  to  minimize  the  burden  of  the  collection  of  information  on  the  respondents,  including  the  use  of  automated  collection  techniques  or  other  forms  of  information 
 technology.  In  addition,  pursuant  to  the  Small  Business  Paperwork  Relief  Act  of  2002,  Public  Law  107-  198,  see  44  U.  S.  C.  §  3506(  c)(  4),  we  seek  specific  comment  on  how  we  might  “further  reduce  the 
 information  collection  burden  for  small  business  concerns  with  fewer  than  25  employees.” 
 C.  Other  Procedural  Matters 
 1.  Ex  Parte  Presentations 
 33.  The  rulemaking  this  Notice  initiates  shall  be  treated  as  a  “permit-  but-  disclose”  proceeding  in  accordance  with  the  Commission’s  ex  parte  rules.  72  Persons  making  oral  ex  parte  presentations  are 


 reminded  that  memoranda  summarizing  the  presentations  must  contain  summaries  of  the  substance  of  the  presentations  and  not  merely  a  listing  of  the  subjects  discussed.  More  than  a  one  or  two  sentence 
 description  of  the  views  and  arguments  presented  generally  is  required.  73  Other  requirements  pertaining  to  oral  and  written  presentations  are  set  forth  in  section  1.1206(  b)  of  the  Commission’s  rules.  74 


 2.  Comment  Filing  Procedures 
 34.  Pursuant  to  sections  1.415  and  1.419  of  the  Commission’s  rules,  75  interested  parties  may  file  comments  and  reply  comments  regarding  the  Notice  on  or  before  the  dates  indicated  on  the  first  page  of 


 this  document.  All  filings  related  to  this  Notice  of  Proposed  Rulemaking  should  refer  to  CC  Docket 


 72  47  C.  F.  R.  §§  1.200  et  seq. 
 73  See  47  C.  F.  R.  §  1.  1206(  b)(  2). 
 74  47  C.  F.  R.  §  1.1206(  b). 
 75  47  C.  F.  R.  §§  1.  415,  1.419. 
13
 Federal  Communications  Commission  FCC  06-  10 
 15 
 3.  Accessible  Formats 
 37.  To  request  materials  in  accessible  formats  for  people  with  disabilities  (Braille,  large  print,  electronic  files,  audio  format),  send  an  e-  mail  to  fcc504@  fcc.  gov  or  call  the  Consumer  &  Governmental 


 Affairs  Bureau  at  202-  418-  0530  (voice)  or  202-  418-  0432  (TTY).  Contact  the  FCC  to  request  reasonable  accommodations  for  filing  comments  (accessible  format  documents,  sign  language  interpreters,  CART, 
 etc.)  by  e-  mail:  FCC504@  fcc.  gov;  phone:  202-  418-  0530  or  TTY:  202-  418-  0432. 
 V.  ORDERING  CLAUSES 
 38.  Accordingly,  IT  IS  ORDERED,  pursuant  to  sections  1,  4(  i),  4(  j),  and  222  of  the  Communications  Act  of  1934,  as  amended,  47  U.  S.  C.  §§  151,  154(  i)-(  j),  222,  that  this  Notice  in  CC 


 Docket  No.  96-  115  and  RM-  11277  IS  ADOPTED. 
 39.  IT  IS  FURTHER  ORDERED  that  the  Petition  for  Rulemaking  of  the  Electronic  Privacy  Information  Center  IS  GRANTED  to  the  extent  described  herein. 


 40.  IT  IS  FURTHER  ORDERED  that  the  proceeding  in  RM-  11277  IS  HEREBY  TERMINATED. 
 41.  IT  IS  FURTHER  ORDERED  that  the  Commission’s  Consumer  &  Governmental  Affairs  Bureau,  Reference  Information  Center,  SHALL  SEND  a  copy  of  this  Notice,  including  the  Initial 
 Regulatory  Flexibility  Analysis,  to  the  Chief  Counsel  for  Advocacy  of  the  Small  Business  Administration. 


 FEDERAL  COMMUNICATIONS  COMMISSION 


 Marlene  H.  Dortch  Secretary 
15
 Federal  Communications  Commission  FCC  06-  10 
 16 
 APPENDIX  A 
 COMMENTERS  RM-  11277 


 Comments  Abbreviation  BellSouth  Corporation  BellSouth 
 CTIA  –  The  Wireless  Association  CTIA  Verizon  telephone  companies  Verizon 
 Verizon  Wireless  Verizon  Wireless 
 REPLY  COMMENTERS  RM-  11277 


 Reply  Comments  Abbreviation  CTIA  –  The  Wireless  Association  CTIA 
 Electronic  Privacy  Information  Center  EPIC  Frank  Camarillo  Frank  Camarillo 


 INDIVIDUALS  FILING  EX  PARTE  COMMENTS  RM-  11277 
 Ex  Parte  Comments  from  Individuals  Carol  Adams 
 Anonymous,  received  Jan.  17,  2006  Jane  Bailey 
 George  Bishop  Wendy  Boykin 
 Jason  Brugh  Georgia  Case 
 Chris  Chamblee  Oscar  Christophersen 
 Nancy  Curtin  Mark  Dailey 
 Sue  Esser  Neil  Fairmer 
 Janice  M.  Farina  Larry  Foley 
 David  R.  Forest  Barbra  Glass 
 Richard  Glenn  Guillory  Matthew  Guy 
 Richard  N.  Hathaway  H.  J.  Hathcock 
 M.  J.  Heise  Stephanie  Hoel 
 Thomas  D.  Hopwood  Mark  R.  Ivan 
 Rosemarie  K.  Jones  Wanda  Jones 
16
 Federal  Communications  Commission  FCC  06-  10 
 17 
 Roger  Jurgensen  Louann  Kenyon 
 Donna  E.  Kidd  Rick  LaFave 
 Phil  Lawson  Nancy  Lebrecht 
 Matt  LeConte  Kathy  Ledbetter 
 Andrew  Lindeman  Lisa 
 Carol  S.  Matthews  George  Mercer 
 Michael  A.  Missey  Brian  Morris 
 Greg  Mumm  Kaci  Newman 
 Amey  Pennington  Darren  Pennington 
 D.  M.  Perkins  Robert  D.  Reiswig 
 Chris  Riban  Mike  Riban 
 Suzy  Robertson  Linda  Rossi 
 Victoria  Marie  Rum  Patricia  L.  Russo 
 Darryl  Scott  Roger  Scott 
 Bonnie  S.  Seehoffer  Jim  Shields 
 Bernard  Soffer  Sherrill  Smas 
 Donald  Timpe  Julie  D.  Walker 
 M.  L.  Willingham  Donald  Winn 
 Starr  Wilson  Katherine  &  Gary  Yaeger 
 Tony  Zintsmaster 
17
 Federal  Communications  Commission  FCC  06-  10 
 18 
 APPENDIX  B 
 INITIAL  REGULATORY  FLEXIBILITY  ANALYSIS 
 42.  As  required  by  the  Regulatory  Flexibility  Act  of  1980,  as  amended  (RFA),  77  the  Commission  has  prepared  the  present  Initial  Regulatory  Flexibility  Analysis  (IRFA)  of  the  possible  significant 
 economic  impact  on  small  entities  that  might  result  from  this  Notice.  Written  public  comments  are  requested  on  this  IRFA.  Comments  must  be  identified  as  responses  to  the  IRFA  and  must  be  filed  by  the 
 deadlines  for  comments  on  the  Notice  provided  above.  The  Commission  will  send  a  copy  of  the  Notice,  including  this  IRFA,  to  the  Chief  Counsel  for  Advocacy  of  the  Small  Business  Administration.  78  In 
 addition,  the  Notice  and  IRFA  (or  summaries  thereof)  will  be  published  in  the  Federal  Register.  79 
 A.  Need  for,  and  Objectives  of,  the  Proposed  Rules 
 43.  In  the  Notice,  we  grant  EPIC’s  petition  for  rulemaking  and  seek  comment  on  what  security  measures  telecommunications  carriers  currently  have  in  place  for  verifying  the  identity  of  people 


 requesting  CPNI;  what  inadequacies  currently  exist  in  those  measures  that  allow  third  parties  such  as  online  data  brokers  and  private  investigators  to  access  CPNI  without  the  customer’s  knowledge  or 
 authorization;  and  what  kind  of  security  measures  may  be  warranted  to  better  protect  telecommunications  customers  from  unauthorized  access  to  CPNI.  In  particular,  we  seek  comment  on  EPIC’s  five  proposals 
 to  address  the  unauthorized  means  of  obtaining  CPNI:  (1)  consumer-  set  passwords;  (2)  audit  trails;  (3)  encryption;  (4)  limiting  data  retention;  and  (5)  procedures  for  notice  to  the  customer  on  release  of  CPNI 
 data.  We  also  seek  comment  on  what  steps  the  Commission  should  take  to  enforce  its  CPNI  rules  and  whether  carriers  should  be  required  to  report  further  on  the  release  of  CPNI. 


 B.  Legal  Basis 
 44.  The  legal  basis  for  any  action  that  may  be  taken  pursuant  to  the  Notice  is  contained  in  sections  1,  4(  i),  4(  j),  and  222  of  the  Communications  Act  of  1934,  as  amended,  47  U.  S.  C.  §§  151,  154(  i)  -( 


 j),  222. 
 C.  Description  and  Estimate  of  the  Number  of  Small  Entities  to  Which  the  Proposed  Rules  May  Apply 


 45.  The  RFA  directs  agencies  to  provide  a  description  of  and,  where  feasible,  an  estimate  of  the  number  of  small  entities  that  may  be  affected  by  the  proposed  rules.  80  The  RFA  generally  defines  the 
 term  “small  entity”  as  having  the  same  meaning  as  the  terms  “small  business,”  “small  organization,”  and  “small  governmental  jurisdiction.”  81  In  addition,  the  term  “small  business”  has  the  same  meaning  as  the 
 term  “small  business  concern”  under  the  Small  Business  Act.  82  A  small  business  concern  is  one  which: 


 77  See  5  U.  S.  C.  §  603.  The  RFA,  see  5  U.  S.  C.  §§  601-  12,  has  been  amended  by  the  Small  Business  Regulatory 
 Enforcement  Fairness  Act  of  1996  (SBREFA),  Pub.  L.  No.  104-  121,  110  Stat.  857  (1996).  78 
 See  5  U.  S.  C.  §  603(  a).  79 
 See  5  U.  S.  C.  §  603(  a).  80 
 5  U.  S.  C.  §§  603(  b)(  3),  604(  a)(  3).  81 
 5  U.  S.  C.  §  601(  6).  82 
 5  U.  S.  C.  §  601(  3)  (incorporating  by  reference  the  definition  of  “small  business  concern”  in  the  Small  Business  Act,  15  U.  S.  C.  §  632).  Pursuant  to  5  U.  S.  C.  §  601(  3),  the  statutory  definition  of  a  small  business  applies  “unless  an 


 agency,  after  consultation  with  the  Office  of  Advocacy  of  the  Small  Business  Administration  and  after  opportunity  (continued....) 
18
 Federal  Communications  Commission  FCC  06-  10 
 19 
 (1)  is  independently  owned  and  operated;  (2)  is  not  dominant  in  its  field  of  operation;  and  (3)  satisfies  any  additional  criteria  established  by  the  Small  Business  Administration  (SBA).  83 
 46.  Small  Businesses.  Nationwide,  there  are  a  total  of  approximately  22.4  million  small  businesses,  according  to  SBA  data.  84 
 47.  Small  Organizations.  Nationwide,  there  are  approximately  1.6  million  small  organizations.  85 
 48.  Small  Governmental  Jurisdictions.  The  term  “small  governmental  jurisdiction”  is  defined  generally  as  “governments  of  cities,  towns,  townships,  villages,  school  districts,  or  special  districts,  with  a 


 population  of  less  than  fifty  thousand.”  86  Census  Bureau  data  for  2002  indicate  that  there  were  87,  525  local  governmental  jurisdictions  in  the  United  States.  87  We  estimate  that,  of  this  total,  84,377  entities 
 were  “small  governmental  jurisdictions.”  88  Thus,  we  estimate  that  most  governmental  jurisdictions  are  small. 


 1.  Telecommunications  Service  Entities 
 a.  Wireline  Carriers  and  Service  Providers 
 49.  We  have  included  small  incumbent  local  exchange  carriers  in  this  present  RFA  analysis.  As  noted  above,  a  “small  business”  under  the  RFA  is  one  that,  inter  alia,  meets  the  pertinent  small  business 


 size  standard  (e.  g.,  a  telephone  communications  business  having  1,500  or  fewer  employees),  and  “is  not  dominant  in  its  field  of  operation.”  89  The  SBA’s  Office  of  Advocacy  contends  that,  for  RFA  purposes, 
 small  incumbent  local  exchange  carriers  are  not  dominant  in  their  field  of  operation  because  any  such  dominance  is  not  “national”  in  scope.  90  We  have  therefore  included  small  incumbent  local  exchange 
 carriers  in  this  RFA  analysis,  although  we  emphasize  that  this  RFA  action  has  no  effect  on  Commission  analyses  and  determinations  in  other,  non-  RFA  contexts. 


 50.  Incumbent  Local  Exchange  Carriers  (LECs).  Neither  the  Commission  nor  the  SBA  has  developed  a  small  business  size  standard  specifically  for  incumbent  local  exchange  services.  The 


 (...  continued  from  previous  page)  for  public  comment,  establishes  one  or  more  definitions  of  such  terms  which  are  appropriate  to  the  activities  of  the 
 agency  and  publishes  such  definitions(  s)  in  the  Federal  Register.”  83 
 15  U.  S.  C.  §  632.  84 
 See  SBA,  Programs  and  Services,  SBA  Pamphlet  No.  CO-  0028,  at  page  40  (July  2002).  85 
 Independent  Sector,  The  New  Nonprofit  Almanac  &  Desk  Reference  (2002).  86 
 5  U.  S.  C.  §  601(  5).  87 
 U.  S.  Census  Bureau,  Statistical  Abstract  of  the  United  States:  2006,  Section  8,  page  272,  Table  415.  88 
 We  assume  that  the  villages,  school  districts,  and  special  districts  are  small,  and  total  48,  558.  See  U.  S.  Census  Bureau,  Statistical  Abstract  of  the  United  States:  2006,  section  8,  page  273,  Table  417.  For  2002,  Census  Bureau 


 data  indicate  that  the  total  number  of  county,  municipal,  and  township  governments  nationwide  was  38,  967,  of  which  35,  819  were  small.  Id. 
 89  15  U.  S.  C.  §  632. 
 90  Letter  from  Jere  W.  Glover,  Chief  Counsel  for  Advocacy,  SBA,  to  William  E.  Kennard,  Chairman,  FCC  (May 
 27,  1999).  The  Small  Business  Act  contains  a  definition  of  “small-  business  concern,”  which  the  RFA  incorporates  into  its  own  definition  of  “small  business.”  See  15  U.  S.  C.  §  632(  a)  (Small  Business  Act);  5  U.  S.  C.  §  601(  3)  (RFA). 


 SBA  regulations  interpret  “small  business  concern”  to  include  the  concept  of  dominance  on  a  national  basis.  See  13  C.  F.  R.  §  121.102(  b). 
19
 Federal  Communications  Commission  FCC  06-  10 
 20 
 appropriate  size  standard  under  SBA  rules  is  for  the  category  Wired  Telecommunications  Carriers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  91  According  to 
 Commission  data,  92  1,303  carriers  have  reported  that  they  are  engaged  in  the  provision  of  incumbent  local  exchange  services.  Of  these  1,303  carriers,  an  estimated  1,020  have  1,500  or  fewer  employees  and  283 
 have  more  than  1,500  employees.  Consequently,  the  Commission  estimates  that  most  providers  of  incumbent  local  exchange  service  are  small  businesses  that  may  be  affected  by  our  action. 


 51.  Competitive  Local  Exchange  Carriers,  Competitive  Access  Providers  (CAPs),  “Shared-Tenant  Service  Providers,”  and  “Other  Local  Service  Providers.”  Neither  the  Commission  nor  the  SBA 
 has  developed  a  small  business  size  standard  specifically  for  these  service  providers.  The  appropriate  size  standard  under  SBA  rules  is  for  the  category  Wired  Telecommunications  Carriers.  Under  that  size 
 standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  93  According  to  Commission  data,  94  769  carriers  have  reported  that  they  are  engaged  in  the  provision  of  either  competitive  access  provider 
 services  or  competitive  local  exchange  carrier  services.  Of  these  769  carriers,  an  estimated  676  have  1,500  or  fewer  employees  and  93  have  more  than  1,500  employees.  In  addition,  12  carriers  have  reported 
 that  they  are  “Shared-  Tenant  Service  Providers,”  and  all  12  are  estimated  to  have  1,500  or  fewer  employees.  In  addition,  39  carriers  have  reported  that  they  are  “Other  Local  Service  Providers.”  Of  the 
 39,  an  estimated  38  have  1,500  or  fewer  employees  and  one  has  more  than  1,500  employees.  Consequently,  the  Commission  estimates  that  most  providers  of  competitive  local  exchange  service, 
 competitive  access  providers,  “Shared-  Tenant  Service  Providers,”  and  “Other  Local  Service  Providers”  are  small  entities  that  may  be  affected  by  our  action. 


 52.  Local  Resellers.  The  SBA  has  developed  a  small  business  size  standard  for  the  category  of  Telecommunications  Resellers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer 
 employees.  95  According  to  Commission  data,  96  143  carriers  have  reported  that  they  are  engaged  in  the  provision  of  local  resale  services.  Of  these,  an  estimated  141  have  1,500  or  fewer  employees  and  two 
 have  more  than  1,500  employees.  Consequently,  the  Commission  estimates  that  the  majority  of  local  resellers  are  small  entities  that  may  be  affected  by  our  action. 


 53.  Toll  Resellers.  The  SBA  has  developed  a  small  business  size  standard  for  the  category  of  Telecommunications  Resellers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer 
 employees.  97  According  to  Commission  data,  98  770  carriers  have  reported  that  they  are  engaged  in  the  provision  of  toll  resale  services.  Of  these,  an  estimated  747  have  1,500  or  fewer  employees  and  23  have 
 more  than  1,500  employees.  Consequently,  the  Commission  estimates  that  the  majority  of  toll  resellers  are  small  entities  that  may  be  affected  by  our  action. 


 54.  Payphone  Service  Providers  (PSPs).  Neither  the  Commission  nor  the  SBA  has  developed  a 
 91  13  C.  F.  R.  §  121.201,  NAICS  code  517110  (changed  from  513310  in  Oct.  2002). 
 92  FCC,  Wireline  Competition  Bureau,  Industry  Analysis  and  Technology  Division,  “Trends  in  Telephone  Service” 
 at  Table  5.3,  page  5-  5  (April  2005)  (“  Trends  in  Telephone  Service”).  This  source  uses  data  that  are  current  as  of  October  1,  2004. 


 93  13  C.  F.  R.  §  121.201,  NAICS  code  517110  (changed  from  513310  in  Oct.  2002). 
 94  “Trends  in  Telephone  Service”  at  Table  5.3. 
 95  13  C.  F.  R.  §  121.201,  NAICS  code  517310  (changed  from  513330  in  Oct.  2002). 
 96  “Trends  in  Telephone  Service”  at  Table  5.3. 
 97  13  C.  F.  R.  §  121.201,  NAICS  code  517310  (changed  from  513330  in  Oct.  2002). 
 98  “Trends  in  Telephone  Service”  at  Table  5.3. 
20
 Federal  Communications  Commission  FCC  06-  10 
 21 
 small  business  size  standard  specifically  for  payphone  services  providers.  The  appropriate  size  standard  under  SBA  rules  is  for  the  category  Wired  Telecommunications  Carriers.  Under  that  size  standard,  such  a 
 business  is  small  if  it  has  1,500  or  fewer  employees.  99  According  to  Commission  data,  100  613  carriers  have  reported  that  they  are  engaged  in  the  provision  of  payphone  services.  Of  these,  an  estimated  609 
 have  1,500  or  fewer  employees  and  four  have  more  than  1,500  employees.  Consequently,  the  Commission  estimates  that  the  majority  of  payphone  service  providers  are  small  entities  that  may  be 
 affected  by  our  action. 
 55.  Interexchange  Carriers  (IXCs).  Neither  the  Commission  nor  the  SBA  has  developed  a  small  business  size  standard  specifically  for  providers  of  interexchange  services.  The  appropriate  size  standard 


 under  SBA  rules  is  for  the  category  Wired  Telecommunications  Carriers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  101  According  to  Commission  data,  102  316  carriers 
 have  reported  that  they  are  engaged  in  the  provision  of  interexchange  service.  Of  these,  an  estimated  292  have  1,500  or  fewer  employees  and  24  have  more  than  1,500  employees.  Consequently,  the  Commission 
 estimates  that  the  majority  of  IXCs  are  small  entities  that  may  be  affected  by  our  action. 
 56.  Operator  Service  Providers  (OSPs).  Neither  the  Commission  nor  the  SBA  has  developed  a  small  business  size  standard  specifically  for  operator  service  providers.  The  appropriate  size  standard 


 under  SBA  rules  is  for  the  category  Wired  Telecommunications  Carriers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  103  According  to  Commission  data,  104  23  carriers 
 have  reported  that  they  are  engaged  in  the  provision  of  operator  services.  Of  these,  an  estimated  20  have  1,500  or  fewer  employees  and  three  have  more  than  1,500  employees.  Consequently,  the  Commission 
 estimates  that  the  majority  of  OSPs  are  small  entities  that  may  be  affected  by  our  action. 
 57.  Prepaid  Calling  Card  Providers.  Neither  the  Commission  nor  the  SBA  has  developed  a  small  business  size  standard  specifically  for  prepaid  calling  card  providers.  The  appropriate  size  standard 


 under  SBA  rules  is  for  the  category  Telecommunications  Resellers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  105  According  to  Commission  data,  106  89  carriers 
 have  reported  that  they  are  engaged  in  the  provision  of  prepaid  calling  cards.  Of  these,  88  are  estimated  to  have  1,500  or  fewer  employees  and  one  has  more  than  1,500  employees.  Consequently,  the 
 Commission  estimates  that  all  or  the  majority  of  prepaid  calling  card  providers  are  small  entities  that  may  be  affected  by  our  action. 


 58.  800  and  800-  Like  Service  Subscribers.  107  Neither  the  Commission  nor  the  SBA  has  developed  a  small  business  size  standard  specifically  for  800  and  800-  like  service  (“  toll  free”) 
 subscribers.  The  appropriate  size  standard  under  SBA  rules  is  for  the  category  Telecommunications  Resellers.  Under  that  size  standard,  such  a  business  is  small  if  it  has  1,500  or  fewer  employees.  108  The 


 99  13  C.  F.  R.  §  121.201,  NAICS  code  517110  (changed  from  513310  in  Oct.  2002). 
 100  “Trends  in  Telephone  Service”  at  Table  5.3. 
 101  13  C.  F.  R.  §  121.201,  NAICS  code  517110  (changed  from  513310  in  Oct.  2002). 
 102  “Trends  in  Telephone  Service”  at  Table  5.3. 
 103  13  C.  F.  R.  §  121.201,  NAICS  code  517110  (changed  from  513310  in  Oct.  2002). 
 104  “Trends  in  Telephone  Service”  at  Table  5.3. 
 105  13  C.  F.  R.  §  121.201,  NAICS  code  517310  (changed  from  513330  in  Oct.  2002). 
 106  “Trends  in  Telephone  Service”  at  Table  5.3. 
 107  We  include  all  toll-  free  number  subscribers  in  this  category,  including  those  for  888  numbers. 
 108  13  C.  F.  R.  §  121.201,  NAICS  code  517310  (changed  from  513330  in  Oct.  2002). 
21
 Federal  Communications  Commission  FCC  06-  10 
 22 
 most  reliable  source  of  information  regarding  the  number  of  these  service  subscribers  appears  to  be  data  the  Commission  collects  on  the  800,  888,  and  877  numbers  in  use.  109  According  to  our  data,  at  the  end  of 
 January,  1999,  the  number  of  800  numbers  assigned  was  7,692,955;  the  number  of  888  numbers  assigned  was  7,706,393;  and  the  number  of  877  numbers  assigned  was  1,946,538.  We  do  not  have  data  specifying 
 the  number  of  these  subscribers  that  are  not  independently  owned  and  operated  or  have  more  than  1,500  employees,  and  thus  are  unable  at  this  time  to  estimate  with  greater  precision  the  number  of  toll  free 
 subscribers  that  would  qualify  as  small  businesses  under  the  SBA  size  standard.  Consequently,  we  estimate  that  there  are  7,692,955  or  fewer  small  entity  800  subscribers;  7,706,393  or  fewer  small  entity 
 888  subscribers;  and  1,946,538  or  fewer  small  entity  877  subscribers. 
 b.  International  Service  Providers 
 59.  The  Commission  has  not  developed  a  small  business  size  standard  specifically  for  providers  of  international  service.  The  appropriate  size  standards  under  SBA  rules  are  for  the  two  broad  census 


 categories  of  “Satellite  Telecommunications”  and  “Other  Telecommunications.”  Under  both  categories,  such  a  business  is  small  if  it  has  $12.5  million  or  less  in  average  annual  receipts.  110 


 60.  The  first  category  of  Satellite  Telecommunications  “comprises  establishments  primarily  engaged  in  providing  point-  to-  point  telecommunications  services  to  other  establishments  in  the 
 telecommunications  and  broadcasting  industries  by  forwarding  and  receiving  communications  signals  via  a  system  of  satellites  or  reselling  satellite  telecommunications.”  111  For  this  category,  Census  Bureau  data 
 for  2002  show  that  there  were  a  total  of  371  firms  that  operated  for  the  entire  year.  112  Of  this  total,  307  firms  had  annual  receipts  of  under  $10  million,  and  26  firms  had  receipts  of  $10  million  to 
 $24,999,999.  113  Consequently,  we  estimate  that  the  majority  of  Satellite  Telecommunications  firms  are  small  entities  that  might  be  affected  by  our  action. 


 61.  The  second  category  of  Other  Telecommunications  “comprises  establishments  primarily  engaged  in  (1)  providing  specialized  telecommunications  applications,  such  as  satellite  tracking, 
 communications  telemetry,  and  radar  station  operations;  or  (2)  providing  satellite  terminal  stations  and  associated  facilities  operationally  connected  with  one  or  more  terrestrial  communications  systems  and 
 capable  of  transmitting  telecommunications  to  or  receiving  telecommunications  from  satellite  systems.”  114  For  this  category,  Census  Bureau  data  for  2002  show  that  there  were  a  total  of  332  firms  that  operated  for 
 the  entire  year.  115  Of  this  total,  259  firms  had  annual  receipts  of  under  $10  million  and  15  firms  had  annual  receipts  of  $10  million  to  $24,999,999.  116  Consequently,  we  estimate  that  the  majority  of  Other 
 Telecommunications  firms  are  small  entities  that  might  be  affected  by  our  action. 
 109  See  FCC,  Common  Carrier  Bureau,  Industry  Analysis  Division,  Study  on  Telephone  Trends,  Tables  21.2,  21.3, 
 and  21.  4  (Feb.  1999).  110 
 13  C.  F.  R.  §  121.201  ,  NAICS  codes  517410  and  517910.  111 
 U.  S.  Census  Bureau,  “2002  NAICS  Definitions:  517410  Satellite  Telecommunications”  (www.  census.  gov.,  visited  Feb.  2006). 


 112  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  Information,  “Establishment  and  Firm  Size 
 (Including  Legal  Form  of  Organization),”  Table  4,  NAICS  code  517410  (issued  Nov.  2005).  113 
 Id.  An  additional  38  firms  had  annual  receipts  of  $25  million  or  more.  114 
 U.  S.  Census  Bureau,  “2002  NAICS  Definitions:  517910  Other  Telecommunications”  (www.  census.  gov.,  visited  Feb.  2006). 


 115  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  Information,  “Establishment  and  Firm  Size 
 (Including  Legal  Form  of  Organization),”  Table  4,  NAICS  code  517910  (issued  Nov.  2005).  116 
 Id.  An  additional  14  firms  had  annual  receipts  of  $25  million  or  more. 
22
 Federal  Communications  Commission  FCC  06-  10 
 23 
 c.  Wireless  Telecommunications  Service  Providers 
 62.  Below,  for  those  services  subject  to  auctions,  we  note  that,  as  a  general  matter,  the  number  of  winning  bidders  that  qualify  as  small  businesses  at  the  close  of  an  auction  does  not  necessarily  represent 


 the  number  of  small  businesses  currently  in  service.  Also,  the  Commission  does  not  generally  track  subsequent  business  size  unless,  in  the  context  of  assignments  or  transfers,  unjust  enrichment  issues  are 
 implicated. 
 63.  Wireless  Service  Providers.  The  SBA  has  developed  a  small  business  size  standard  for  wireless  firms  within  the  two  broad  economic  census  categories  of  “Paging”  117  and  “Cellular  and  Other 


 Wireless  Telecommunications.”  118  Under  both  SBA  categories,  a  wireless  business  is  small  if  it  has  1,500  or  fewer  employees.  For  the  census  category  of  Paging,  Census  Bureau  data  for  2002  show  that  there 
 were  807  firms  in  this  category  that  operated  for  the  entire  year.  119  Of  this  total,  804  firms  had  employment  of  999  or  fewer  employees,  and  three  firms  had  employment  of  1,000  employees  or  more.  120 
 Thus,  under  this  category  and  associated  small  business  size  standard,  the  majority  of  firms  can  be  considered  small.  For  the  census  category  of  Cellular  and  Other  Wireless  Telecommunications,  Census 
 Bureau  data  for  2002  show  that  there  were  1,397  firms  in  this  category  that  operated  for  the  entire  year.  121  Of  this  total,  1,378  firms  had  employment  of  999  or  fewer  employees,  and  19  firms  had  employment  of 
 1,000  employees  or  more.  122  Thus,  under  this  second  category  and  size  standard,  the  majority  of  firms  can,  again,  be  considered  small. 


 64.  Cellular  Licensees.  The  SBA  has  developed  a  small  business  size  standard  for  wireless  firms  within  the  broad  economic  census  category  “Cellular  and  Other  Wireless  Telecommunications.”  123  Under 
 this  SBA  category,  a  wireless  business  is  small  if  it  has  1,500  or  fewer  employees.  For  the  census  category  of  Cellular  and  Other  Wireless  Telecommunications,  Census  Bureau  data  for  2002  show  that 
 there  were  1,397  firms  in  this  category  that  operated  for  the  entire  year.  124  Of  this  total,  1,378  firms  had  employment  of  999  or  fewer  employees,  and  19  firms  had  employment  of  1,000  employees  or  more.  125 
 Thus,  under  this  category  and  size  standard,  the  great  majority  of  firms  can  be  considered  small.  Also,  according  to  Commission  data,  437  carriers  reported  that  they  were  engaged  in  the  provision  of  cellular 
 service,  Personal  Communications  Service  (PCS),  or  Specialized  Mobile  Radio  (SMR)  Telephony  services,  which  are  placed  together  in  the  data.  126  We  have  estimated  that  260  of  these  are  small,  under 


 117  13  C.  F.  R.  §  121.201,  NAICS  code  513321  (changed  to  517211  in  October  2002). 
 118  13  C.  F.  R.  §  121.201,  NAICS  code  513322  (changed  to  517212  in  October  2002). 
 119  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  “Information,”  Table  5,  Employment  Size  of 
 Firms  for  the  United  States:  2002,  NAICS  code  517211  (issued  November  2005).  120 
 Id.  The  census  data  do  not  provide  a  more  precise  estimate  of  the  number  of  firms  that  have  employment  of  1,500  or  fewer  employees;  the  largest  category  provided  is  firms  with  “1000  employees  or  more.” 


 121  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  “Information,”  Table  5,  Employment  Size  of 
 Firms  for  the  United  States:  2002,  NAICS  code  517212  (issued  November  2005).  122 
 Id.  The  census  data  do  not  provide  a  more  precise  estimate  of  the  number  of  firms  that  have  employment  of  1,500  or  fewer  employees;  the  largest  category  provided  is  firms  with  “1000  employees  or  more.” 


 123  13  C.  F.  R.  §  121.201,  NAICS  code  513322  (changed  to  517212  in  October  2002). 
 124  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  “Information,”  Table  5,  Employment  Size  of 
 Firms  for  the  United  States:  2002,  NAICS  code  517212  (issued  November  2005).  125 
 Id.  The  census  data  do  not  provide  a  more  precise  estimate  of  the  number  of  firms  that  have  employment  of  1,500  or  fewer  employees;  the  largest  category  provided  is  firms  with  “1000  employees  or  more.” 


 126  “Trends  in  Telephone  Service”  at  Table  5.3. 
23
 Federal  Communications  Commission  FCC  06-  10 
 24 
 the  SBA  small  business  size  standard.  127 
 65.  Common  Carrier  Paging.  The  SBA  has  developed  a  small  business  size  standard  for  wireless  firms  within  the  broad  economic  census  category,  “Cellular  and  Other  Wireless  Telecommunications.”  128 


 Under  this  SBA  category,  a  wireless  business  is  small  if  it  has  1,500  or  fewer  employees.  For  the  census  category  of  Paging,  Census  Bureau  data  for  2002  show  that  there  were  807  firms  in  this  category  that 
 operated  for  the  entire  year.  129  Of  this  total,  804  firms  had  employment  of  999  or  fewer  employees,  and  three  firms  had  employment  of  1,000  employees  or  more.  130  Thus,  under  this  category  and  associated 
 small  business  size  standard,  the  majority  of  firms  can  be  considered  small.  In  the  Paging  Third  Report  and  Order,  we  developed  a  small  business  size  standard  for  “small  businesses”  and  “very  small 
 businesses”  for  purposes  of  determining  their  eligibility  for  special  provisions  such  as  bidding  credits  and  installment  payments.  131  A  “small  business”  is  an  entity  that,  together  with  its  affiliates  and  controlling 
 principals,  has  average  gross  revenues  not  exceeding  $15  million  for  the  preceding  three  years.  Additionally,  a  “very  small  business”  is  an  entity  that,  together  with  its  affiliates  and  controlling 
 principals,  has  average  gross  revenues  that  are  not  more  than  $3  million  for  the  preceding  three  years.  132  The  SBA  has  approved  these  small  business  size  standards.  133  An  auction  of  Metropolitan  Economic 
 Area  licenses  commenced  on  February  24,  2000,  and  closed  on  March  2,  2000.  134  Of  the  985  licenses  auctioned,  440  were  sold.  Fifty-  seven  companies  claiming  small  business  status  won.  Also,  according  to 
 Commission  data,  375  carriers  reported  that  they  were  engaged  in  the  provision  of  paging  and  messaging  services.  135  Of  those,  we  estimate  that  370  are  small,  under  the  SBA-  approved  small  business  size 
 standard.  136 
 66.  Wireless  Telephony.  Wireless  telephony  includes  cellular,  personal  communications  services  (PCS),  and  specialized  mobile  radio  (SMR)  telephony  carriers.  As  noted  earlier,  the  SBA  has  developed 


 a  small  business  size  standard  for  “Cellular  and  Other  Wireless  Telecommunications”  services.  137  Under  that  SBA  small  business  size  standard,  a  business  is  small  if  it  has  1,500  or  fewer  employees.  138 
 According  to  Commission  data,  445  carriers  reported  that  they  were  engaged  in  the  provision  of  wireless 
 127  Id. 
 128  13  C.  F.  R.  §  121.201,  NAICS  code  513322  (changed  to  517212  in  October  2002). 
 129  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  “Information,”  Table  5,  Employment  Size  of 
 Firms  for  the  United  States:  2002,  NAICS  code  517211  (issued  November  2005).  130 
 Id.  The  census  data  do  not  provide  a  more  precise  estimate  of  the  number  of  firms  that  have  employment  of  1,500  or  fewer  employees;  the  largest  category  provided  is  firms  with  “1000  employees  or  more.” 


 131  Amendment  of  Part  90  of  the  Commission’s  Rules  to  Provide  for  the  Use  of  the  220-  222  MHz  Band  by  the 
 Private  Land  Mobile  Radio  Service,  PR  Docket  No.  89-  552,  Third  Report  and  Order  and  Fifth  Notice  of  Proposed  Rulemaking,  12  FCC  Rcd  10943,  11068-  70,  paras.  291-  295,  62  FR  16004  (Apr.  3,  1997). 


 132  See  Letter  to  Amy  Zoslov,  Chief,  Auctions  and  Industry  Analysis  Division,  Wireless  Telecommunications 
 Bureau,  FCC,  from  A.  Alvarez,  Administrator,  SBA  (Dec.  2,  1998)  (SBA  Dec.  2,  1998  Letter).  133 
 Revision  of  Part  22  and  Part  90  of  the  Commission’s  Rules  to  Facilitate  Future  Development  of  Paging  Systems,  Memorandum  Opinion  and  Order  on  Reconsideration  and  Third  Report  and  Order,  14  FCC  Rcd  10030,  paras.  98-107 


 (1999).  134 
 Id.  at  10085,  para.  98.  135 
 “Trends  in  Telephone  Service”  at  Table  5.3.  136 
 Id.  137 
 13  C.  F.  R.  §  121.201,  NAICS  code  513322  (changed  to  517212  in  October  2002).  138 
 Id. 
24
 Federal  Communications  Commission  FCC  06-  10 
 25 
 telephony.  139  We  have  estimated  that  245  of  these  are  small  under  the  SBA  small  business  size  standard. 
 67.  Broadband  Personal  Communications  Service.  The  broadband  Personal  Communications  Service  (PCS)  spectrum  is  divided  into  six  frequency  blocks  designated  A  through  F,  and  the  Commission 


 has  held  auctions  for  each  block.  The  Commission  defined  “small  entity”  for  Blocks  C  and  F  as  an  entity  that  has  average  gross  revenues  of  $40  million  or  less  in  the  three  previous  calendar  years.  140  For  Block 
 F,  an  additional  classification  for  “very  small  business”  was  added  and  is  defined  as  an  entity  that,  together  with  its  affiliates,  has  average  gross  revenues  of  not  more  than  $15  million  for  the  preceding 
 three  calendar  years.”  141  These  standards  defining  “small  entity”  in  the  context  of  broadband  PCS  auctions  have  been  approved  by  the  SBA.  142  No  small  businesses,  within  the  SBA-  approved  small 
 business  size  standards  bid  successfully  for  licenses  in  Blocks  A  and  B.  There  were  90  winning  bidders  that  qualified  as  small  entities  in  the  Block  C  auctions.  A  total  of  93  small  and  very  small  business 
 bidders  won  approximately  40  percent  of  the  1,479  licenses  for  Blocks  D,  E,  and  F.  143  On  March  23,  1999,  the  Commission  re-  auctioned  347  C,  D,  E,  and  F  Block  licenses.  There  were  48  small  business 
 winning  bidders.  On  January  26,  2001,  the  Commission  completed  the  auction  of  422  C  and  F  Broadband  PCS  licenses  in  Auction  No.  35.  Of  the  35  winning  bidders  in  this  auction,  29  qualified  as 
 “small”  or  “very  small”  businesses.  Subsequent  events,  concerning  Auction  35,  including  judicial  and  agency  determinations,  resulted  in  a  total  of  163  C  and  F  Block  licenses  being  available  for  grant. 


 68.  Narrowband  Personal  Communications  Services.  To  date,  two  auctions  of  narrowband  personal  communications  services  (PCS)  licenses  have  been  conducted.  For  purposes  of  the  two  auctions 
 that  have  already  been  held,  “small  businesses”  were  entities  with  average  gross  revenues  for  the  prior  three  calendar  years  of  $40  million  or  less.  Through  these  auctions,  the  Commission  has  awarded  a  total 
 of  41  licenses,  out  of  which  11  were  obtained  by  small  businesses.  To  ensure  meaningful  participation  of  small  business  entities  in  future  auctions,  the  Commission  has  adopted  a  two-  tiered  small  business  size 
 standard  in  the  Narrowband  PCS  Second  Report  and  Order.  144  A  “small  business”  is  an  entity  that,  together  with  affiliates  and  controlling  interests,  has  average  gross  revenues  for  the  three  preceding  years 
 of  not  more  than  $40  million.  A  “very  small  business”  is  an  entity  that,  together  with  affiliates  and  controlling  interests,  has  average  gross  revenues  for  the  three  preceding  years  of  not  more  than  $15 
 million.  The  SBA  has  approved  these  small  business  size  standards.  145  In  the  future,  the  Commission  will  auction  459  licenses  to  serve  Metropolitan  Trading  Areas  (MTAs)  and  408  response  channel  licenses. 
 There  is  also  one  megahertz  of  narrowband  PCS  spectrum  that  has  been  held  in  reserve  and  that  the  Commission  has  not  yet  decided  to  release  for  licensing.  The  Commission  cannot  predict  accurately  the 


 139  “Trends  in  Telephone  Service”  at  Table  5.3. 
 140  See  Amendment  of  Parts  20  and  24  of  the  Commission’s  Rules  –  Broadband  PCS  Competitive  Bidding  and  the 
 Commercial  Mobile  Radio  Service  Spectrum  Cap,  WT  Docket  No.  96-  59,  Report  and  Order,  11  FCC  Rcd  7824,  61  FR  33859  (July  1,  1996)  (PCS  Order);  see  also  47  C.  F.  R.  §  24.  720(  b). 


 141  See  PCS  Order,  11  FCC  Rcd  7824. 
 142  See,  e.  g.,  Implementation  of  Section  309(  j)  of  the  Communications  Act  –  Competitive  Bidding,  PP  Docket  No. 
 93-  253,  Fifth  Report  and  Order,  9  FCC  Rcd  5332,  59  FR  37566  (July  22,  1994).  143 
 FCC  News,  Broadband  PCS,  D,  E  and  F  Block  Auction  Closes,  No.  71744  (rel.  Jan.  14,  1997);  see  also  Amendment  of  the  Commission’s  Rules  Regarding  Installment  Payment  Financing  for  Personal  Communications 


 Services  (PCS)  Licenses,  WT  Docket  No.  97-  82,  Second  Report  and  Order,  12  FCC  Rcd  16436,  62  FR  55348  (Oct.  24,  1997). 
 144  Amendment  of  the  Commission’s  Rules  to  Establish  New  Personal  Communications  Services,  Narrowband  PCS, 
 Docket  No.  ET  92-  100,  Docket  No.  PP  93-  253,  Second  Report  and  Order  and  Second  Further  Notice  of  Proposed  Rulemaking,  15  FCC  Rcd  10456,  65  FR  35875  (June  6,  2000). 


 145  See  SBA  Dec.  2,  1998  Letter. 
25
 Federal  Communications  Commission  FCC  06-  10 
 26 
 number  of  licenses  that  will  be  awarded  to  small  entities  in  future  auctions.  However,  four  of  the  16  winning  bidders  in  the  two  previous  narrowband  PCS  auctions  were  small  businesses,  as  that  term  was 
 defined.  The  Commission  assumes,  for  purposes  of  this  analysis  that  a  large  portion  of  the  remaining  narrowband  PCS  licenses  will  be  awarded  to  small  entities.  The  Commission  also  assumes  that  at  least 
 some  small  businesses  will  acquire  narrowband  PCS  licenses  by  means  of  the  Commission’s  partitioning  and  disaggregation  rules. 


 69.  Rural  Radiotelephone  Service.  The  Commission  has  not  adopted  a  size  standard  for  small  businesses  specific  to  the  Rural  Radiotelephone  Service.  146  A  significant  subset  of  the  Rural 
 Radiotelephone  Service  is  the  Basic  Exchange  Telephone  Radio  System  (BETRS).  147  The  Commission  uses  the  SBA’s  small  business  size  standard  applicable  to  “Cellular  and  Other  Wireless 
 Telecommunications,”  i.  e.,  an  entity  employing  no  more  than  1,500  persons.  148  There  are  approximately  1,000  licensees  in  the  Rural  Radiotelephone  Service,  and  the  Commission  estimates  that  there  are  1,000 
 or  fewer  small  entity  licensees  in  the  Rural  Radiotelephone  Service  that  may  be  affected  by  the  rules  and  policies  adopted  herein. 


 70.  Air-  Ground  Radiotelephone  Service.  The  Commission  has  not  adopted  a  small  business  size  standard  specific  to  the  Air-  Ground  Radiotelephone  Service.  149  We  will  use  SBA’s  small  business  size 
 standard  applicable  to  “Cellular  and  Other  Wireless  Telecommunications,”  i.  e.,  an  entity  employing  no  more  than  1,500  persons.  150  There  are  approximately  100  licensees  in  the  Air-  Ground  Radiotelephone 
 Service,  and  we  estimate  that  almost  all  of  them  qualify  as  small  under  the  SBA  small  business  size  standard. 


 71.  Offshore  Radiotelephone  Service.  This  service  operates  on  several  UHF  television  broadcast  channels  that  are  not  used  for  television  broadcasting  in  the  coastal  areas  of  states  bordering  the  Gulf  of 
 Mexico.  151  There  are  presently  approximately  55  licensees  in  this  service.  We  are  unable  to  estimate  at  this  time  the  number  of  licensees  that  would  qualify  as  small  under  the  SBA’s  small  business  size 
 standard  for  “Cellular  and  Other  Wireless  Telecommunications”  services.  152  Under  that  SBA  small  business  size  standard,  a  business  is  small  if  it  has  1,500  or  fewer  employees.  153 


 2.  Cable  and  OVS  Operators 
 72.  Cable  and  Other  Program  Distribution.  This  category  includes  cable  systems  operators,  closed  circuit  television  services,  direct  broadcast  satellite  services,  multipoint  distribution  systems, 


 satellite  master  antenna  systems,  and  subscription  television  services.  The  SBA  has  developed  small  business  size  standard  for  this  census  category,  which  includes  all  such  companies  generating  $12.5 
 million  or  less  in  revenue  annually.  154  According  to  Census  Bureau  data  for  2002,  there  were  a  total  of 
 146  The  service  is  defined  in  section  22.  99  of  the  Commission’s  Rules,  47  C.  F.  R.  §  22.  99. 
 147  BETRS  is  defined  in  sections  22.  757  and  22.  759  of  the  Commission’s  Rules,  47  C.  F.  R.  §§  22.  757  and  22.  759. 
 148  13  C.  F.  R.  §  121.201,  NAICS  code  517212. 
 149  The  service  is  defined  in  section  22.  99  of  the  Commission’s  Rules,  47  C.  F.  R.  §  22.  99. 
 150  13  C.  F.  R.  §  121.201,  NAICS  codes  517212. 
 151  This  service  is  governed  by  Subpart  I  of  Part  22  of  the  Commission’s  rules.  See  47  C.  F.  R.  §§  22.  1001-  22.  1037. 
 152  13  C.  F.  R.  §  121.201,  NAICS  code  513322  (changed  to  517212  in  October  2002). 
 153  Id. 
 154  13  C.  F.  R.  §  121.201,  North  American  Industry  Classification  System  (NAICS)  code  513220  (changed  to  517510 
 in  October  2002). 
26
 Federal  Communications  Commission  FCC  06-  10 
 27 
 1,191  firms  in  this  category  that  operated  for  the  entire  year.  155  Of  this  total,  1,087  firms  had  annual  receipts  of  under  $10  million,  and  43  firms  had  receipts  of  $10  million  or  more  but  less  than  $25 
 million.  156  Consequently,  the  Commission  estimates  that  the  majority  of  providers  in  this  service  category  are  small  businesses  that  may  be  affected  by  the  rules  and  policies  adopted  herein. 


 73.  Cable  System  Operators.  The  Commission  has  developed  its  own  small  business  size  standards  for  cable  system  operators,  for  purposes  of  rate  regulation.  Under  the  Commission’s  rules,  a 
 “small  cable  company”  is  one  serving  fewer  than  400,000  subscribers  nationwide.  157  In  addition,  a  “small  system”  is  a  system  serving  15,000  or  fewer  subscribers.  158 


 74.  Cable  System  Operators  (Telecom  Act  Standard).  The  Communications  Act  of  1934,  as  amended,  also  contains  a  size  standard  for  small  cable  system  operators,  which  is  “a  cable  operator  that, 
 directly  or  through  an  affiliate,  serves  in  the  aggregate  fewer  than  1  percent  of  all  subscribers  in  the  United  States  and  is  not  affiliated  with  any  entity  or  entities  whose  gross  annual  revenues  in  the  aggregate 
 exceed  $250,000,000.”  159  The  Commission  has  determined  that  there  are  approximately  67,  700,  000  subscribers  in  the  United  States.  160  Therefore,  an  operator  serving  fewer  than  677,000  subscribers  shall 
 be  deemed  a  small  operator,  if  its  annual  revenues,  when  combined  with  the  total  annual  revenues  of  all  its  affiliates,  do  not  exceed  $250  million  in  the  aggregate.  161  Based  on  available  data,  the  Commission 
 estimates  that  the  number  of  cable  operators  serving  677,000  subscribers  or  fewer,  totals  1,450.  The  Commission  neither  requests  nor  collects  information  on  whether  cable  system  operators  are  affiliated 
 with  entities  whose  gross  annual  revenues  exceed  $250  million,  162  and  therefore  is  unable,  at  this  time,  to  estimate  more  accurately  the  number  of  cable  system  operators  that  would  qualify  as  small  cable 
 operators  under  the  size  standard  contained  in  the  Communications  Act  of  1934. 
 75.  Open  Video  Services.  Open  Video  Service  (OVS)  systems  provide  subscription  services.  163  The  SBA  has  created  a  small  business  size  standard  for  Cable  and  Other  Program  Distribution.  164  This 


 standard  provides  that  a  small  entity  is  one  with  $12.  5  million  or  less  in  annual  receipts.  The  Commission  has  certified  approximately  25  OVS  operators  to  serve  75  areas,  and  some  of  these  are  currently  providing 
 service.  165  Affiliates  of  Residential  Communications  Network,  Inc.  (RCN)  received  approval  to  operate 


 155  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  Information,  Table  4,  Receipts  Size  of  Firms  for 
 the  United  States:  2002,  NAICS  code  517510  (issued  November  2005).  156 
 Id.  An  additional  61  firms  had  annual  receipts  of  $25  million  or  more.  157 
 47  C.  F.  R.  §  76.  901(  e).  The  Commission  determined  that  this  size  standard  equates  approximately  to  a  size  standard  of  $100  million  or  less  in  annual  revenues.  Implementation  of  Sections  of  the  1992  Cable  Act:  Rate 


 Regulation,  Sixth  Report  and  Order  and  Eleventh  Order  on  Reconsideration,  10  FCC  Rcd  7393,  7408  (1995).  158 
 47  C.  F.  R.  §  76.  901(  c).  159 
 47  U.  S.  C.  §  543(  m)(  2);  see  47  C.  F.  R.  §  76.  901(  f)  &  nn.  1-  3.  160 
 See  Public  Notice,  FCC  Announces  New  Subscriber  Count  for  the  Definition  of  Small  Cable  Operator,  DA  01-  158  (Cable  Services  Bureau,  Jan.  24,  2001). 


 161  47  C.  F.  R.  §  76.  901(  f). 
 162  The  Commission  does  receive  such  information  on  a  case-  by-  case  basis  if  a  cable  operator  appeals  a  local 
 franchise  authority’s  finding  that  the  operator  does  not  qualify  as  a  small  cable  operator  pursuant  to  §  76.901(  f)  of  the  Commission’s  rules.  See  47  C.  F.  R.  §  76.  909(  b). 


 163  See  47  U.  S.  C.  §  573. 
 164  13  C.  F.  R.  §  121.201,  NAICS  code  513220  (changed  to  517510  in  October  2002). 
 165  See  <http://  www.  fcc.  gov/  csb/  ovs/  csovscer.  html>  (current  as  of  March  2002). 
27
 Federal  Communications  Commission  FCC  06-  10 
 28 
 OVS  systems  in  New  York  City,  Boston,  Washington,  D.  C.,  and  other  areas.  RCN  has  sufficient  revenues  to  assure  that  they  do  not  qualify  as  a  small  business  entity.  Little  financial  information  is 
 available  for  the  other  entities  that  are  authorized  to  provide  OVS  and  are  not  yet  operational.  Given  that  some  entities  authorized  to  provide  OVS  service  have  not  yet  begun  to  generate  revenues,  the 
 Commission  concludes  that  up  to  24  OVS  operators  (those  remaining)  might  qualify  as  small  businesses  that  may  be  affected  by  the  rules  and  policies  adopted  herein. 


 3.  Internet  Service  Providers 
 76.  Internet  Service  Providers.  The  SBA  has  developed  a  small  business  size  standard  for  Internet  Service  Providers  (ISPs).  ISPs  “provide  clients  access  to  the  Internet  and  generally  provide 


 related  services  such  as  web  hosting,  web  page  designing,  and  hardware  or  software  consulting  related  to  Internet  connectivity.”  166  Under  the  SBA  size  standard,  such  a  business  is  small  if  it  has  average  annual 
 receipts  of  $21  million  or  less.  167  According  to  Census  Bureau  data  for  2002,  there  were  2,529  firms  in  this  category  that  operated  for  the  entire  year.  168  Of  these,  2,437  firms  had  annual  receipts  of  under  $10 
 million,  and  47  firms  had  receipts  of  $10  million  or  more  but  less  then  $25  million.  169  Consequently,  we  estimate  that  the  majority  of  these  firms  are  small  entities  that  may  be  affected  by  our  action. 


 77.  All  Other  Information  Services.  “This  industry  comprises  establishments  primarily  engaged  in  providing  other  information  services  (except  new  syndicates  and  libraries  and  archives).”  170  Our  action 
 pertains  to  VoIP  services,  which  could  be  provided  by  entities  that  provide  other  services  such  as  email,  online  gaming,  web  browsing,  video  conferencing,  instant  messaging,  and  other,  similar  IP-  enabled 
 services.  The  SBA  has  developed  a  small  business  size  standard  for  this  category;  that  size  standard  is  $6  million  or  less  in  average  annual  receipts.  171  According  to  Census  Bureau  data  for  1997,  there  were  195 
 firms  in  this  category  that  operated  for  the  entire  year.  172  Of  these,  172  had  annual  receipts  of  under  $5  million,  and  an  additional  nine  firms  had  receipts  of  between  $5  million  and  $9,999,999.  Consequently, 
 we  estimate  that  the  majority  of  these  firms  are  small  entities  that  may  be  affected  by  our  action. 
 D.  Description  of  Projected  Reporting,  Recordkeeping  and  Other  Compliance  Requirements 


 78.  Should  the  Commission  decide  to  adopt  any  regulations  to  ensure  that  all  providers  of  telecommunications  services  meet  consumer  protection  needs  in  regard  to  CPNI,  the  associated  rules 
 potentially  could  modify  the  reporting  and  recordkeeping  requirements  of  certain  telecommunications 


 166  U.  S.  Census  Bureau,  “2002  NAICS  Definitions:  518111  Internet  Service  Providers”  (Feb.  2004) 
 <www.  census.  gov>.  167 
 13  C.  F.  R.  §  121.201,  NAICS  code  518111  (changed  from  previous  code  514191,  “On-  Line  Information  Services,”  in  Oct.  2002). 


 168  U.  S.  Census  Bureau,  2002  Economic  Census,  Subject  Series:  Information,  Table  4,  Receipts  Size  of  Firms  for 
 the  United  States:  2002,  NAICS  code  518111  (issued  November  2005).  169 
 Id.  An  additional  45  firms  had  annual  receipts  of  $25  million  or  more.  170 
 U.  S.  Census  Bureau,  “2002  NAICS  Definitions:  519190  All  Other  Information  Services”  (Feb.  2004)  <www.  census.  gov>. 


 171  13  C.  F.  R.  §  121.201,  NAICS  code  519190  (changed  from  514199  in  Oct.  2002). 
 172  U.  S.  Census  Bureau,  1997  Economic  Census,  Subject  Series:  Information,  “Establishment  and  Firm  Size 
 (Including  Legal  Form  of  Organization),”  Table  4,  NAICS  code  514199  (issued  Oct.  2000).  This  category  was  created  for  the  2002  Economic  Census  by  taking  a  portion  of  the  superseded  1997  category,  “All  Other  Information 


 Services,”  NAICS  code  514199.  The  data  cited  in  the  text  above  are  derived  from  the  superseded  category. 
28
 Federal  Communications  Commission  FCC  06-  10 
 29 
 providers.  We  could,  for  instance,  require  that  telecommunications  providers  require  customer  password-related  security  procedures  to  access  CPNI  data  and/  or  encrypt  CPNI  data.  173  We  could  also  require  that 
 telecommunications  providers  maintain  more  extensive  records  regarding  CPNI  data  and  report  additional  CPNI  information  to  their  customers  and  the  Commission.  174  We  tentatively  conclude  that  the 
 Commission  should  amend  its  rules  to  require  carriers  to  certify  no  later  than  January  1st  (or  other  date  specified  by  the  Commission)  of  each  year,  covering  the  preceding  calendar  year,  and  to  file  the 
 compliance  certificate  with  the  Commission  within  30  days.  175  We  further  tentatively  conclude  that  carriers  should  attach  to  this  annual  section  64.2009(  e)  certification  an  explanation  of  any  actions  taken 
 against  data  brokers  and  a  summary  of  all  consumer  complaints  received  in  the  past  year  concerning  the  unauthorized  release  of  CPNI.  176  These  proposals  may  impose  additional  reporting  or  recordkeeping 
 requirements  on  entities.  We  seek  comment  on  the  possible  burden  these  requirements  would  place  on  small  entities.  177  Also,  we  seek  comment  on  whether  a  special  approach  toward  any  possible  compliance 
 burdens  on  small  entities  might  be  appropriate.  178  Entities,  especially  small  businesses,  are  encouraged  to  quantify  the  costs  and  benefits  of  any  reporting  requirement  that  may  be  established  in  this  proceeding.  179 


 E.  Steps  Taken  to  Minimize  Significant  Economic  Impact  on  Small  Entities,  and  Significant  Alternatives  Considered 
 79.  The  RFA  requires  an  agency  to  describe  any  significant  alternatives  that  it  has  considered  in  reaching  its  proposed  approach,  which  may  include  (among  others)  the  following  four  alternatives: 
 (1)  the  establishment  of  differing  compliance  or  reporting  requirements  or  timetables  that  take  into  account  the  resources  available  to  small  entities;  (2)  the  clarification,  consolidation,  or  simplification  of 
 compliance  or  reporting  requirements  under  the  rule  for  small  entities;  (3)  the  use  of  performance,  rather  than  design,  standards;  and  (4)  an  exemption  from  coverage  of  the  rule,  or  any  part  thereof,  for  small 
 entities.  180 
 80.  The  Commission’s  primary  objective  is  to  develop  a  framework  for  protecting  a  customer’s  CPNI,  regardless  of  the  customer’s  underlying  technology.  We  seek  comment  here  on  the  effect  the 


 various  proposals  described  in  the  Notice  will  have  on  small  entities,  and  on  what  effect  alternative  rules  would  have  on  those  entities.  181  We  invite  comment  on  ways  in  which  the  Commission  can  achieve  its 
 goal  of  protecting  consumers  while  at  the  same  time  impose  minimal  burdens  on  small  telecommunications  service  providers.  With  respect  to  any  of  our  consumer  protection  regulations 
 already  in  place,  has  the  Commission  adopted  any  provisions  for  small  entities  that  we  should  similarly  consider  here?  Specifically,  we  invite  comment  on  whether  the  problems  identified  by  EPIC  are  better  or 
 worse  at  smaller  carriers.  182  We  invite  comment  on  whether  small  carriers  should  be  exempt  from 


 173  See  Notice  at  paras.  16,  19. 
 174  See  Notice  at  paras.  18,  23,  29,  30. 
 175  See  Notice  at  para.  29. 
 176  See  id. 
 177  See  Notice  at  paras.  16,  18,  19,  23,  29. 
 178  See  Notice  at  para.  30. 
 179  See  Notice  at  paras.  12,  19,  20,  23. 
 180  5  U.  S.  C.  §  603(  c). 
 181  See  Notice  at  paras.  11,  12,  16,  18,  19,  23,  29,  30. 
 182  See  Notice  at  para.  11. 
29
 Federal  Communications  Commission  FCC  06-  10 
 30 
 password-  related  security  procedures  to  protect  CPNI.  183  We  invite  comment  on  the  benefits  and  burdens  of  recording  audit  trails  for  the  disclosure  of  CPNI  on  small  carriers.  184  We  invite  comment  on  whether 
 requiring  a  small  carrier  to  encrypt  its  stored  data  would  be  unduly  burdensome.  185  We  solicit  comment  on  the  cost  to  a  small  carrier  of  notifying  a  customer  upon  release  of  CPNI.  186  We  seek  comment  on 
 whether  the  Commission  should  amend  its  rules  to  require  carriers  to  file  annual  certifications  concerning  CPNI  and  whether  this  requirement  should  extend  to  only  telecommunications  carriers  that  are  not  small 
 telephone  companies  as  defined  by  the  Small  Business  Administration,  and  whether  small  carriers  should  be  subject  to  different  CPNI-  related  obligations.  187 


 F.  Federal  Rules  that  May  Duplicate,  Overlap,  or  Conflict  with  the  Proposed  Rules 
 81.  None. 


 183  See  Notice  at  para.  16. 
 184  See  Notice  at  para.  18. 
 185  See  Notice  at  para.  19. 
 186  See  Notice  at  para.  23. 
 187  See  Notice  at  paras.  29-  30. 
30
 Federal  Communications  Commission  FCC  06-  10 
 31 
 STATEMENT  OF  CHAIRMAN  KEVIN  J.  MARTIN 
 Re:  Implementation  of  the  Telecommunications  Act  of  1996;  Petition  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer  Proprietary  Network  Information, 
 CC  Docket  No.  96-  115,  RM-  11277 
 With  this  Notice  of  Proposed  Rulemaking,  we  ask  how  we  can  better  protect  customers’  private  telephone  records  from  unauthorized  disclosure.  This  item  responds  directly  to  the  petition  filed  with  the 
 Commission  by  the  Electronic  Privacy  Information  Center  (EPIC).  In  its  Petition,  EPIC  expresses  concerns  about  the  sufficiency  of  carrier  practices  relating  to  customer  proprietary  network  information 
 (CPNI)  in  light  of  numerous  reports  that  online  “data  brokers”  and  private  investigators  are  engaged  in  the  sale  of  customers’  personal  telephone  records.  EPIC  claims  that  these  data  brokers  are  obtaining 
 unauthorized  access  to  CPNI  through  various  possible  means,  including  through  “pretexting”  –  that  is,  by  pretending  to  be  a  customer  seeking  access  to  that  customer’s  own  telephone  records.  Today,  we  seek 
 comment  on  whether  additional  Commission  rules  are  necessary  to  strengthen  the  safeguards  currently  in  place  to  protect  consumers’  sensitive  telephone  record  data.  I  support  this  Notice  because  I  am  deeply 
 concerned  about  reports  of  companies  trafficking  in  personal  telephone  records  and  I  want  to  thank  my  fellow  Commissioners  for  considering  this  Notice  expeditiously. 
31
 Federal  Communications  Commission  FCC  06-  10 
 32 
 STATEMENT  OF  COMMISSIONER  MICHAEL  J.  COPPS 
 Re:  Implementation  of  the  Telecommunications  Act  of  1996;  Petition  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer  Proprietary  Network  Information, 
 CC  Docket  No.  96-  115,  RM-  11277 
 American  consumers  deserve  the  security  of  knowing  that  their  personal  phone  records  are  not  for  sale.  By  starting  this  proceeding,  we  pledge  to  protect  consumers  from  unscrupulous  data  brokers  who 
 have  built  a  business  on  selling  information  about  our  private  conversations.  The  Commission  also  commits  to  adjusting  its  rules  to  further  safeguard  privacy  and  prevent  the  unauthorized  disclosure  of 
 customer  proprietary  network  information  (CPNI).  For  these  reasons,  I  am  pleased  to  support  today’s  effort. 


 Privacy  issues  must  always  be  on  the  Commission’s  front  burner  –  but  sometimes  they  languish.  We  have  a  three-  and-  a-  half-  year-  old  Notice  of  Proposed  Rulemaking  on  CPNI  safeguards  and 
 enforcement  that  needs  to  be  acted  on.  We  have  a  three-  year-  old  proceeding  on  the  dissemination  of  CPNI  to  unaffiliated  third  parties,  initiated  by  a  petition  from  the  Arizona  Corporation  Commission,  that 
 also  has  stalled.  And  last  year,  we  reclassified  wireline  broadband  Internet  access  services,  but  left  for  another  day  the  chilling  question  of  whether  or  not  privacy  protections  followed  this  regulatory  remix. 
 It’s  time  to  move  ahead.  I  hope  today  we  begin  a  new  chapter. 
 We  live  in  a  day  and  age  where  our  cherished  right  to  privacy  suffers  from  a  daily  fusillade  of  data  gathering.  Companies  can  monitor  what  we  do,  stores  can  study  what  we  buy,  technologies  can  track 
 what  we  watch,  see  and  hear.  Consumers  rightfully  expect  that  regulatory  agencies  like  this  one  will  do  something  to  protect  them  from  this  bombardment,  to  give  them  a  measure  of  confidence  that  not  every 
 aspect  of  their  personal  information  is  available  to  the  highest  bidder. 
32
 Federal  Communications  Commission  FCC  06-  10 
 33 
 STATEMENT  OF  COMMISSIONER  JONATHAN  S.  ADELSTEIN 
 Re:  Implementation  of  the  Telecommunications  Act  of  1996;  Petition  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer  Proprietary  Network  Information, 
 CC  Docket  No.  96-  115,  RM-  11277 
 I  am  very  pleased  that  we  open  this  rulemaking  to  address  an  issue  of  momentous  personal  importance  to  American  consumers:  the  troublesome  proliferation  of  telephone  call  records  being  made 
 available  on  the  Internet  without  customers’  knowledge  or  consent.  Last  summer,  a  watchful  public  interest  group,  the  Electronic  Privacy  Information  Center  (EPIC),  alerted  the  FCC  to  this  trend  and  filed  a 
 petition  asking  us  to  tighten  our  rules  for  protecting  consumer  call  records.  We  take  an  important  step  here  by  granting  EPIC’s  petition  and  issuing  this  Notice  of  Proposed  Rulemaking  to  find  ways  to  tighten 
 our  rules  and  provide  greater  security  for  these  sensitive  consumer  records. 
 Telephone  call  records  can  include  some  of  the  most  private  personal  information  about  an  individual.  Finding  out  who  people  are  calling  and  for  how  long  can  be  like  picking  someone’s  brain 
 about  their  friends,  plans  or  business  dealings.  Unauthorized  access  to  call  records  is  a  highly  invasive  intrusion  into  both  the  personal  and  professional  lives  of  consumers.  Disclosure  of  these  records  is  far 
 more  than  a  mere  annoyance;  indeed,  it  can  lead  to  tragic  consequences. 
 Congress  recognized  the  sensitivity  of  this  information  in  the  Telecommunications  Act  of  1996  when  it  prohibited  phone  companies  from  using  or  disclosing  customer  proprietary  network  information 
 without  the  customer’s  approval.  It  charged  the  Commission  with  enforcing  this  privacy  protection  and  the  Commission  has  previously  adopted  a  set  of  rules  designed  to  ensure  that  telephone  companies  have 
 effective  safeguards  in  place. 
 Telephone  companies  are  required  to  have  firewalls  in  place  to  protect  consumers’  private  information  but  instead  these  records  are  blazing  all  over  the  Internet,  available  on  numerous  web  sites 
 even  as  we  issue  this  Notice.  I  appreciate  the  recent  efforts  of  several  phone  companies  to  take  legal  action  against  data  brokers.  This  is  an  important  step  to  shutting  these  data  brokers  down.  Still,  the 
 Commission  must  also  take  immediate  steps  to  ensure  that  we  have  sufficiently  strong  consumer  privacy  rules  in  place  and  that  phone  companies  are  employing  effective  safeguards  to  shield  this  data  from  harm. 
 So,  our  efforts  here  to  strengthen  our  rules  are  critical  and  time  sensitive.  We  ask  the  right  questions  in  this  Notice,  and  I’m  glad  that  we  once  again  seek  comment  on  how  to  protect  consumer  privacy  as 
 communications  migrate  to  broadband  and  IP  platforms.  Our  challenge  now  will  be  to  move  quickly  to  shut  the  tap  on  this  information  drain. 


 I  also  support  our  efforts  to  bring  swift  enforcement  action  against  companies  that  are  violating  our  rules.  Even  as  we  look  to  improve  our  rules  and  as  Congress  considers  additional  safeguards,  we 
 must  use  our  existing  authority  to  quickly  address  abuses  of  this  private  information. 
33
 Federal  Communications  Commission  FCC  06-  10 
 34 
 STATEMENT  OF  COMMISSIONER  DEBORAH  TAYLOR  TATE 
 Re:  Implementation  of  the  Telecommunications  Act  of  1996;  Petition  for  Rulemaking  to  Enhance  Security  and  Authentication  Standards  for  Access  to  Customer  Proprietary  Network  Information, 
 CC  Docket  No.  96-  115,  RM-  11277 
 The  brokerage  of  personal  information  –  whether  it  be  personal  identity,  financial  records,  or  a  list  of  your  phone  calls  –  is  intolerable.  “Pretexting”  is  nothing  more  than  stealing;  robbing  consumers  in 
 a  variety  of  slick  ways  of  their  most  personal  information. 
 I  support  this  Notice  of  Proposed  Rulemaking  and  Chairman  Martin’s  call  for  swift  action  by  this  Commission  to  see  that  we  are  doing  our  part  to  protect  the  consumers  who  look  to  us  to  ensure  that  the 


 proper  rules  are  in  place  to  keep  their  personal  phone  data  confidential.  State  Attorneys  General  have  been  very  active  pursuing  the  companies  behind  these  criminal  acts,  and  I  commend  them  for  their 
 efforts.  Also,  our  partners  at  the  Federal  Trade  Commission  have  been  actively  investigating  the  practice  of  fraudulently  obtaining  and  selling  personal  data,  including  call  records. 


 While  my  philosophy  leans  towards  market-  based  solutions  with  minimal  government  intervention,  this  issue  provides  a  perfect  example  of  the  appropriateness  of  government  intervention, 
 investigation,  and  enforcement.  Indeed,  national  security  is  of  utmost  importance,  but  so  is  personal  security.  We  must  be  as  vigilant  to  protect  our  personal  digital  borders  as  we  are  our  nation’s  physical 
 borders. 
 The  action  we  take  today  should  send  a  clear  message  to  information  snatchers  –  who  are  attacking  our  citizens  in  the  privacy  of  their  own  homes  –  that  we  take  seriously  our  obligation  to  protect 


 consumers’  most  personal  information. 
34