Recently, investigative journalists at the Intercept revealed that Securus, a nationwide provider of phone and video services to jails and prisons, suffered a massive security breach when someone obtained, and then leaked, records of more than 70 million phone calls by prisoners across the country, along with links to downloadable recordings of those calls. Among these calls were records of “at least 14,000 recorded conversations between inmates and attorneys.” In fact, the Intercept claims that Securus has amassed a huge database of federally protected consumer propriety network information (CPNI, or “metadata” containing the number you call, at what time and for how long) and has been storing this data for years. The Intercept also reports that Securus may be selling access to this data to law enforcement investigators.
Securus has disclaimed responsibility for the breach and denies selling call recordings and information. Last week, the FCC issued a response. Regardless, this incident raises important questions about whether Securus (and, by extension, other phone providers) is living up to its security promises or its legal obligations to protect its users’ data. As the agency charged with overseeing privacy protections for telecommunications consumers, the FCC has the authority and expertise to investigate these allegations of misconduct. The FCC should heed this wake-up call to thoroughly investigate these issues.
The FCC has established expertise in ensuring that telecommunications (and video) providers’ use and disclosure of customer information stays within the boundaries of the law, and is appropriately authorized. We need the FCC’s expertise (and its authority to investigate and enforce) when complicated questions about the privacy of our communications arise. Section 222 of the Communications Act provides robust privacy protections for consumers of telecommunications services. This section requires carriers like Securus to take “every reasonable precaution” to protect the confidentiality of customer information (metadata) associated with their phone calls. Under Section 222, providers may only share or disclose CPNI metadata in exactly two situations: (a) when it’s necessary to provide service to the customer (such as passing routing data from one telephone company to another in order to complete a call), and (b) when compelled to do so by law.
The FCC also has extensive data breach regulations implementing Section 222. These include a rule requiring providers to notify law enforcement promptly upon discovering a data breach. It is unclear whether Securus complied with this provision, but an FCC investigation should provide the answer. The legal implications don’t stop there. Section 605 of the Communications Act prohibits the interception (wiretapping) of communications. The Securus leak indicates that the company may have violated Section 605 by recording and disclosing prisoners’ privileged communications with their attorneys.
It’s worth noting that, like many regulations, Sections 222 (CPNI) and 605 (wiretapping) have baked-in exceptions for law enforcement access to otherwise protected data, with the use of a court order or similar legal authority. These exceptions recognize that some monitoring of communications with incarcerated persons may be necessary to protect the safety and security of that facility. But those exceptions are deliberately limited, and funneled through the legal process; they do not, and cannot, justify blanket monitoring and recording of prisoners’ privileged communications. Systems like Securus’ must be designed to allow the monitoring of information that is not privileged and confidential, and the safeguarding of the information that is.
Neither goal requires that call records be stored indefinitely, as Securus’ reportedly were. Once the data has been reviewed and there’s no lawful need to maintain the information, there should be a process for purging that data from the database. The obligation that providers cooperate with law enforcement does not provide an absolute right to use or allow blanket access to customers’ metadata, even when those customers are imprisoned. In 2013, addressing AT&T’s sale of its customers’ CPNI to the CIA, Public Knowledge submitted a petition asking the FCC to rule that such use violated Section 222.
Some have suggested that the FTC should enforce this type of privacy protection, but while the FTC may play a helpful role in privacy oversight, it lacks the specific tools in Section 222 and Section 605 to provide the protections consumers need in this area. As the expert agency, the FCC should carry out this investigation.
The Securus leak is a scary reminder that the FCC must resolve these questions and evaluate information sharing practices between telecommunications providers and law enforcement or third parties. As the agency responsible for protecting consumer privacy in telecommunications services, it’s up to the FCC to do right by all our data and investigate Securus — because if companies can record confidential communications in prisons, they could do so anywhere.
Image credit: Flickr user Truthout.org