Federal Communications Commission FCC 17-132

Federal Communications Commission FCC 17-132

Before the

Federal Communications Commission

Washington, D.C. 20554

In the Matter of
Rules and Policies Regarding Calling Number Identification Service – Caller ID
Waiver of Federal Communications Commission Regulations at 47 C.F.R. § 64.1601(b) on Behalf of Jewish Community Centers / )
)
)
)
)
)
)
) / CC Docket No. 91-281

Report and Order

Adopted: October 24, 2017 Released: October 25, 2017

By the Commission: Chairman Pai and Commissioners Clyburn, O’Rielly and Carr issuing separate statements.

I.  Introduction

1. Today, we help security and law enforcement personnel obtain quick access to blocked Caller ID information needed to identify and thwart threatening callers. We also amend our rules to allow non-public emergency services to obtain blocked Caller ID information associated with calls requesting assistance.
2. The number of threatening phone calls has increased dramatically in recent years.[1] These calls traumatize communities and result in substantial disruption to schools, religious organizations, and other entities. They also drain public resources by requiring the deployment of police and bomb units. Schools and others receiving threats have suggested that blocked Caller ID information hinders a rapid response.[2] Our action today moves away from case-by-case waivers[3] to a streamlined approach that will help protect the safety of threatened parties in a timely way.

II.  Background

A.  The CPN Rules

1. In 1994, the Commission adopted rules that require common carriers using Signaling System 7 (SS7) to transmit the Calling Party Number (CPN)[4] on interstate calls to interconnecting carriers.[5] The Commission concluded that passage of CPN over interstate facilities made possible a wide range of services, and that promoting the development of such services was consistent with the Commission’s responsibilities under the Communications Act of 1934, as amended (the Act).[6] In particular, the Commission concluded that requiring CPN transmission would bring consumers more rapid and efficient service, and encourage the introduction of new technologies and services to the public.[7]
2. In adopting this requirement, however, the Commission recognized that unrestricted CPN transmission could intrude upon the privacy interests of calling parties wishing to remain anonymous.[8] Therefore, the Commission established privacy options to allow callers to restrict the transmission of their telephone numbers.[9] For example, the Commission’s rules require carriers using SS7 to recognize the dialing of *67 as a request that the carrier not pass the calling party’s number.[10] Section 64.1601(b) of the Commission’s rules provides that “[n]o common carrier subscribing to or offering any service that delivers CPN may override the privacy indicator associated with an interstate call.”[11]
3. The former Common Carrier Bureau and the Consumer and Governmental Affairs Bureau (CGB or the Bureau) have granted limited waivers of the CPN privacy options in specific instances where requesting parties have demonstrated that such waivers serve the public interest.[12] For example, the Bureau has waived the rule in response to requests from school districts that had received bomb threats, while at the same time ensuring that access to CPNs would be very limited.[13] In addition, the Commission has found that in certain limited circumstances, the privacy requirements for CPN-based services should not apply to delivery of the CPN to a public agency’s emergency line, a poison control line, or in conjunction with 911 emergency services.[14]

B.  The Notice of Proposed Rulemaking

6.  In the June 2017 Caller ID NPRM, the Commission proposed to amend its rules to ensure that security and law enforcement personnel have quick access to the Caller ID information they need to identify and thwart threatening callers, without the regulatory delay inherent in applying for and being granted a waiver of the rules.[15] The Caller ID NPRM proposed an exemption from privacy protections that would allow the provision of blocked Caller ID information in the limited case of threatening calls.[16] It also sought comment on how to define a “threatening call”[17] and on whether to require anyone seeking blocked Caller ID information to do so in conjunction with a law enforcement agency to ensure that the called party is not attempting to circumvent the privacy obligations of the rule by reporting a false threat.[18] Finally, the Commission asked whether to extend an existing exemption for public emergency services to non-public entities that provide emergency services, such as private ambulance companies, so that they can readily obtain blocked Caller ID information for callers who request assistance.[19] Eight entities and individuals filed comments and three entities filed reply comments in response to the Caller ID NPRM, and all support addressing the problem of threatening calls with blocked Caller ID, albeit with varying recommendations on how to do so.[20]

III.  Discussion

A.  Caller ID Exemption for Threatening Calls

1. The Need for an Exemption. We modify our Caller ID rules to exempt threatening calls from the CPN privacy rules so that security personnel and law enforcement have quick access to information they need to aid their investigations. We agree with the vast majority of commenters that the exemption promotes public safety.[21] AT&T, for example, “strongly supports” an additional exemption under the Caller ID rules, saying that blocked Caller ID “may impede law enforcement investigations of threatening calls and hinder responses to these threats.”[22] The record shows that even when a threatening call proves to be a hoax, it can nonetheless result in substantial disruption and expenditure of public resources by law enforcement.[23] Moreover, one party argues that a permanent amendment to the rules outlining how blocked Caller ID information can be disclosed would “permit[] law enforcement agencies to know with certainty what their investigative rights and responsibilities will be when their constituents are threatened.”[24]
2. The need for the exemption is illustrated by reports of widespread and increasing numbers of threatening calls that have targeted schools, religious organizations, and other entities. One recent study found that the incidents of bomb threats made to schools from 2011-16 increased by 1,461 percent, and that more than half of such threats were made by phone.[25] Similarly, a 2016 report from the Bureau of Alcohol, Tobacco, Firearms and Explosives describes a substantial increase in bomb threats to schools and residences.[26] Media reports confirm this disturbing trend.[27] Although the record does not indicate how often threatening callers use the privacy indicators required by section 64.1601(b), parties seeking waiver of the rule have asserted that they frequently do so.[28]
3. This new exemption is consistent with the Commission’s prior approach in this area. The Commission has previously concluded, for example, that to the extent Caller ID services are used to deliver emergency services, privacy requirements should not apply to delivery of CPN to a public agency’s emergency lines, a poison control line, or in conjunction with 911 emergency services.[29] In these instances, the Commission concluded that Caller ID blocking mechanisms could jeopardize emergency services and therefore pose a serious threat to safety. We believe that threatening calls present equally compelling circumstances in which the need to ensure public safety, in accordance with the Commission’s fundamental statutory mission,[30] outweighs any CPN privacy interest of the threatening caller.
4. We disagree with the sole commenter who urges us to not adopt an exemption but instead continue to issue case-by-case waivers, albeit on a streamlined basis.[31] The waiver process, even if streamlined, would not provide equivalent benefits in combatting threatening calls. Investigation of these cases can depend on immediate action to stop a potentially catastrophic event.[32] An exemption would allow for virtually immediate access to blocked Caller ID information upon proper request in threatening situations. We thus agree with the commenters who point out that threatening calls should be addressed immediately through an exemption in our rules rather than a case-by-case waiver process.[33]
5. We also disagree with commenters who urge that carriers should have discretion to decline law enforcement requests to get Caller ID information.[34] CTIA claims that a mandate is not necessary, noting both the industry’s long and successful track record of cooperation with law enforcement and that the Electronic Communications Privacy Act (ECPA)[35] utilizes a voluntary disclosure provision.[36] While we believe that the industry’s record may indeed be laudatory, we conclude that mandatory disclosure is essential to our exemption.[37] The record reveals no scenarios where a request for Caller ID by law enforcement, as we describe below, should give carriers reason to question the validity of the emergency. Further, the imminent and grave nature of threatening calls, as defined below, leave little time for the exercise of discretion in whether to disclose information after law enforcement has become involved.[38]
6. We agree with AT&T that carriers should not be subject to liability for violation of our Caller ID privacy rules if they disclose blocked Caller ID pursuant to our new exemption.[39] As CTIA notes, “[l]aw enforcement has the experience and the thousands of officers in communities throughout the country who are already positioned to evaluate whether a threat is genuine.”[40] Law enforcement’s determination of a threatening call coupled with the mandatory nature of the disclosure removes any justification for placing liability on carriers who comply with a proper request for blocked Caller ID.[41] To the extent that AT&T and NTCA ask the Commission to somehow exempt carriers from any other legal liability, we decline to do so.[42] Our concern is only with ensuring that Commission rules do not interfere with the ability of carriers to respond to law enforcement requests as allowed under law.
7. Definition of “Threatening Call.” We define the term “threatening call,” which triggers the application of the new exemption, as “any call that conveys an emergency involving danger of death or serious physical injury to any person requiring disclosure without delay of information relating to the emergency.”[43] This definition ensures consistency with the emergency-disclosure provision of ECPA,[44] as urged by several commenters, and because it satisfies our goal of targeting the most threatening calls.[45]
8. In the Caller ID NPRM, we proposed to define a “threatening call” as “any call that includes a threat of serious and imminent unlawful action posing a substantial risk to property, life, safety, or health.”[46] Commenters urge that the Commission align its definition with ECPA’s emergency-disclosure exception, noting that our proposed definition is inconsistent with ECPA, and might be either over or under-inclusive depending on the circumstances.[47] ECPA, in relevant part, states that a provider “. . . may divulge a record or other information pertaining to a subscriber to or customer of such service . . . to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.”[48] CTIA notes that the Commission’s proposed definition would require disclosure of caller information in circumstances where existing federal law does not currently permit, such as a call threatening to steal a car.[49] We agree that our rule should be closely tailored to the scope of ECPA’s emergency-disclosure exception.
9. Because carriers are already familiar with the ECPA standard and ECPA covers the imminent nature of the dangers envisioned by the Caller ID NPRM and commenters, we tailor our rule to align with the ECPA definition for purposes of this new exemption.[50] We agree that it makes sense to align our definition of a threatening call with existing federal law to ensure that carriers have consistent legal standards to apply in situations where both our rules and ECPA apply. We also agree with commenters that the ECPA definition would sufficiently cover the types of calls we seek to exempt from the Caller ID blocking rule, without being either over- or under-inclusive, or including terms that could be ambiguous.[51]
10. Law Enforcement Involvement. We find that, to ensure the exemption is not abused, a request for blocked Caller ID information associated with a threatening call must be made by law enforcement on behalf of the threatened party. We believe that this requirement will, among other things, ensure that such requests concern a bona fide threatening call and will not be a pretext for obtaining blocked Caller ID for other purposes. As CTIA commented, such a requirement will ensure there is no ambiguity regarding the necessary level of law enforcement involvement.[52]
11. We agree with commenters that law enforcement involvement at this stage of the process is essential to avoid having carriers make a determination on what constitutes a threatening call.[53] AT&T avers that the involvement of law enforcement would help ensure compliance with the ECPA disclosure requirements,[54] and would help prevent overbroad disclosures of blocked caller ID information that may harm the privacy of non-threatening callers.[55] According to AT&T, law enforcement officials are “indisputably better qualified to validate the existence of emergency circumstances than carrier personnel,” and are likely more familiar with the facts giving rise to a requested disclosure.[56] CTIA adds that requiring law enforcement involvement when restricted Caller ID information is requested would deter parties from manipulating the unblocking process.[57] We agree with commenters that law enforcement personnel are in the best position to determine the existence of a credible threat that necessitates revealing CPN to investigate the threatening call.
12. Likewise, we find that only law enforcement personnel and, as directed by law enforcement, others directly responsible for the safety and security of the threatened party should receive the otherwise protected Caller ID information in the case of threatening calls.[58] Security personnel may only receive the blocked Caller ID information from the providers as directed by law enforcement because law enforcement will generally be in a better position than providers to determine who qualifies as security personnel.[59] We limit the disclosure of the blocked Caller ID information to prevent abuse,[60] and to protect the privacy interests of parties who may block their Caller ID for valid privacy interests, such as domestic violence victims. By limiting the disclosure to law enforcement or, as directed by law enforcement, to security personnel for purposes of investigating a threat, we seek to prevent exploitations of the amended rule, such as an abuser tracking down a victim. We define security personnel as “those individuals directly responsible for maintaining safety of the threatened entity consistent with the nature of the threat.”[61] We allow disclosure to security personnel as directed by law enforcement to encompass situations where security personnel need access to the blocked Caller ID information for investigative purposes, as in instances when a large institution with its own security force, like a university or government agency, receives a threat.[62]
13. We agree with CTIA’s recommendation that “called parties should not be the recipients of information,” and the “use of disclosed CPN should be restricted – by rule – in a manner consistent with prior waivers.”[63] Accordingly, we include the following conditions in our rule for law enforcement or, as directed by law enforcement, security personnel of the called party investigating the threat: (1) the CPN on incoming restricted calls may not be passed on to the line called; (2) any system used to record CPN must be operated in a secure way, limiting access to designated telecommunications and security personnel, as directed by law enforcement; (3) telecommunications and security personnel, as directed by law enforcement, may access restricted CPN data only when investigating calls involving danger of death or serious physical injury to any person requiring disclosure without delay of information relating to the emergency, and shall document that access as part of the investigative report; (4) carriers transmitting restricted CPN information must take reasonable measures to ensure the security of such communications;[64] (5) CPN information must be destroyed in a secure manner after a reasonable retention period; and, (6) any violation of these conditions must be reported promptly to the Commission.