I recently received a message from AT&T, my cellular service provider, alerting me to the fact that I could restrict AT&T from using my “customer proprietary network information” (CPNI) within the AT&T family of companies for AT&T’s own marketing purposes. The message was plainly written yet utterly inscrutable. For instance, it defines CPNI as including:
“the types of telecommunications and interconnected VoIP services you currently purchase, how you use them and the related billing for those services. CPNI does not include your telephone number, your name, or your address.”
Confused, I turned to Geoff Duncan, who has written extensively on telecommunications and data privacy issues for TidBITS over the years. He explained that CPNI originally referred to anything that might appear on your bill, but now varies widely by service and carrier. With cellular carriers, it might include your data plan and usage, device info, location history, Web browsing history, and even demographic information.
What is CPNI used for? AT&T says that it “does not sell CPNI to unaffiliated third parties,” and another page about CPNI clarifies just which companies qualify as being able to use this information — there are a lot:
“The AT&T family of companies are those AT&T companies that provide communications-related products and/or services, including the AT&T local and long distance companies, AT&T Corp., AT&T Long Distance, AT&T Internet Services, AT&T Mobility and other subsidiaries or affiliates of AT&T Inc. that provide, design, market or sell these products and/or services.”
Geoff said that the FCC’s original regulatory framework was intended to prevent two practices. The first is uncompetitive upselling, which could happen if a telco used its CPNI to tweak pricing for additional services for a particular customer in ways that competitors couldn’t match, for instance. The second, “pretexting,” prevents CPNI from being purchased by an outside party that would then pretend to be the phone company in order to get a customer to disclose or do something they wouldn’t otherwise.
The most recent changes to the CPNI legislation were back in 2007, but Geoff said that AT&T started notifying customers about the company’s use of CPNI in 2012. Indeed, when I searched through my email archives on “CPNI,” there was just one hit, an identically worded message from AT&T, sent in August 2012.
Are there any actual abuses of CPNI? Yes. Additional research revealed, among many other stories at the Electronic Privacy Information Center (EPIC), that in 2014 Verizon paid a $7.4 million fine for using CPNI for marketing purposes without informing customers. Worse, AT&T had to pay a $25 million fine in 2015 for disclosing personal information (and misusing CPNI data) for almost 280,000 of its U.S. customers, thanks to crooks paying off employees in three AT&T call centers in Mexico, Colombia, and the Philippines to unlock stolen and/or grey market phones.
It’s important to realize that restricting a carrier from using your CPNI doesn’t prevent it from being collected, so opting out might not prevent such information from being swept up in data breaches like AT&T’s, but it certainly can’t hurt. Regardless, the fact that the FCC felt it was important to require telcos to offer such an opt-out makes me think it’s worth doing.
Restricting AT&T from using CPNI isn’t difficult, but it does require information you may not have handy. Follow these steps (or you can use a voice-response system at 800-315-8303 or talk to a person at 800-288-2020):
- Go to http://att.com/ecpnioptout. (Amusingly, the link underneath the associated text in the email message used a tracking link, which makes me wonder if a click on it would become part of my CPNI.)
- Enter your account number or customer ID and billing ZIP code, select Restrict Use of My CPNI, and click Submit.
The tricky part here is getting your account number, which is most easily found on your bill or by logging in to AT&T’s site and looking in your profile. AT&T says it’s also available on the CPNI notice, which isn’t true — you can see my notice above, and there’s no ID on it.
What about other carriers and other types of personal information that’s gathered and potentially shared or sold? A page in the MIT Information Systems & Technology Knowledge Base offers links to opt out of these and other programs at AT&T, Verizon Wireless, and Sprint. I’d encourage everyone to explore those links — I discovered that although our phone numbers were opted out of AT&T’s “External Marketing & Analytics Reports,” they were still set to receive “Relevant Advertising — Wireless,” whatever that is. MIT’s page says that T-Mobile does not sell CPNI, which seems to match with T-Mobile’s CPNI page.
Personally, I’m not particularly perturbed to have my information used when businesses offer me products or services. However, if this information is so valuable, why do companies get to collect it (from services we’re paying for!) and use it for free? Wouldn’t it be interesting to put personal information into a marketplace, where you would get to say for what purposes it could be purchased, and for how much? Some Italian researchers did a study on the economics of personal data back in 2014, and there’s even a firm called Handshake aiming to do this, but it has been in closed beta since 2013, which isn’t a good sign. Still, food for thought…