The Federal Communications Commission (FCC) wants to make it effectively impossible for people to buy what many call burner phones—a phone not explicitly linked to your identity at the point of purchase—which would impact privacy-conscious people, to domestic abuse survivors, to journalists, and many more. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.
The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.
“For decades, civil libertarians have looked overseas at authoritarian countries where the government requires people to register to get a mobile phone to ensure they can be tracked. We never thought that would happen here,” Jay Stanley, senior policy analyst at the American Civil Liberties Union’s (ACLU) Speech, Privacy, and Technology Project told 404 Media in an email. “But make no mistake: with this rulemaking, the government is contemplating taking away people’s ability to get a burner phone, which will hurt low-income people, domestic violence victims, and anyone else who cares about their privacy.”
In a synopsis of the proposed changes, the FCC writes, “Specifically, we seek comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services.” The goal of collecting this data, the FCC writes, is to deter some scammers from getting onto a telecom network in the first place, and so “enforcers will be better able to identify the scammers when they do.” The FCC compares the changes to the sort of data collected by banks to prevent money laundering.
One section stresses that the newly collected data would help “law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information.” It goes on to ask if the data would help identify people buying and selling illicit goods; the investigation of “fraud, espionage, or influence operations that undermine national security”, and “address abuse in text messaging networks.”
“Criminals continue to leverage the anonymity provided by phone calls and texts to defraud Americans and exploit communications networks to further other crimes,” one section reads.
At the moment, the FCC is seeking comments about its proposed changes, with interested or concerned parties—think telecom companies, law enforcement, or privacy advocates—able to weigh in. But the intention of the FCC is clear: the agency wants telecoms to be legally obligated to collect much more personally identifying information on new and returning customers, linking them directly to their phone number and phone usage data. The FCC also asks whether the amount of data collected should change depending on whether a customer is seeking a prepaid or a postpaid service plan.
Multiple privacy and technology experts strongly pushed back against the proposed changes. “This proposal by the FCC will do little to combat scams and robocalls, since most people doing that will have no trouble creating fake documentation or identities,” Cooper Quintin, security researcher and senior public interest technologist with the Electronic Frontier Foundation (EFF), told 404 Media. “Given this administration’s crackdown on free expression, protest, immigrants, and women’s health we have trouble seeing this as a bold attack on freedom of communication. They want to take away our ability to make an anonymous phone call.”
Eric Null, the director of the Privacy & Data Project at the Center for Democracy & Technology, told 404 Media in an emailed statement “To address the scourge of illegal robocalls, the FCC has unfortunately proposed to force every wireless subscriber in the nation to sacrifice their privacy and give up significant personal details before receiving or renewing a wireless line. While some carriers already collect such details, there are specific circumstances where a person may need privacy and anonymity when seeking a cell phone, including if that person is a victim of domestic violence, or is a journalist or whistleblower. This proposal represents a loss of privacy across the board, and from an agency whose remit includes protecting privacy. The FCC might let a few bad apples spoil the whole bunch.”
Cape is a privacy-focused telecom company that limits the amount of data it collects on its customers. John Doyle, the company’s CEO, told 404 Media in an emailed statement “We hate robocalls and support eliminating them, but entrusting telecom carriers to effectively create a nationwide ID registry for every American with a phone is not the solution. Mobile carriers have been breached time and again because the incentives to secure trillions of dollars of legacy architecture aren’t there. Further enriching compromised telecom datasets with government ID, physical addresses, and alternate phone numbers harms our security rather than improving it.”
Given this proposal is in the comments stage, the FCC has many questions it is hoping to receive information on, such as whether “renewing” customers should be only those new to the provider, or those switching plans with their current telecom; or whether they should not allow the use of P.O. boxes or shared office locations as the required “physical address.”
The FCC did not respond to 404 Media’s request for comment. The proposal is open to comments until June 25.
