“I think oftentimes companies can be in the position of opposing additional regulation at the federal level,” said Melanie Tiano, director of federal regulatory affairs at T-Mobile. “But this is probably one of those areas where that’s not the case, in part because of the flurry of activity going on at the state level, which makes compliance in the U.S. marketplace extraordinarily confusing and difficult.”

The New Jersey legislature cleared one such bill on Monday. If that’s signed into law by the state’s governor, it would bring the number up to 13. Federal efforts, notably the American Data Privacy and Protection Act, have stalled in recent years.

“We will continue to be seriously committed to getting legislation done in a bipartisan way. That’s not always easy right now, but we’re continuing to work on that” said Tim Kurth, chief counsel for the House Innovation, Data and Commerce Subcommittee.

Simone Hall Wood, privacy and public policy manager at Meta, said “privacy regulation should not inhibit beneficial uses of data.” The company has argued it has a legitimate interest in data use practices that the European Union has found to be out of compliance with its data privacy law, the GDPR.

Industry groups, including the Consumer Technology Association, which runs the CES conference, have advocated for a light-touch privacy law in the United States, in contrast with the more comprehensive European standard.

Kurth had similar thoughts Thursday, saying the GDPR “really hurt startups and really hurt innovations.”

Still, Woods said establishing a uniform standard is something the law does well.

“It sets certainty across the marketplace for what privacy protections look like for consumers. And so that aspect of it is positive,” she said.

“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”

Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.

The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.

What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those  include encrypting both stored and communicated data and the ability to receive software updates.

The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”

“Collaboration is key here,” said Amanda Potter, assistant vice president and senior legal counsel for AT&T.

Current measures

Alejandro Roark, chief of the FCC’s Consumer and Government Affairs Bureau, noted Federal Trade Commission data showing American consumers reported losing $790 million to scam calls and another $396 million to scam texts in 2022.

The Commission took action on preventing both in 2023, expanding its STIR/SHAKEN regime – a set of measures to confirm caller identities – to all providers who handle call traffic, moving to block call traffic from non compliant providers, and issuing multiple fines in the hundreds of millions. Almost every state has entered an agreement with the agency to collaborate on robocall investigations.

In addition, the FCC adopted its first robotext rules and moved to tighten those rules in December, closing the “lead generator loophole” by requiring affirmative consent for companies to send consumers marketing messages. Comments are being accepted on a proposal to institute a text authentication scheme.

For AT&T’s part, Potter said the company has instituted network filters to block messages that are likely to be illegal.

“We’re not going to claim success by any means, but when we have these robust network defenses, that does a lot,” she said, citing a total of 1 billion blocked texts on the company’s networks in July 2023.

AT&T also worked with manufacturers on features allowing consumers to report text as junk when deleting messages, which Potter said has provided extra data to tune spam filters.

What’s next

“We start from a standpoint of maximum flexibility when it comes to messaging,” Potter said, in contrast to voice calls, which are more tightly regulated and required FCC intervention for providers to block. 

“I’m concerned about that being taken away, or perhaps regulation being something of a distraction,” she said.

Roark agreed on flexibility being superior to regulation, although the Commission is moving forward with its proceeding on more expansive text authentication rules. The proposed rules include requiring more providers on the traffic chain to block texts from numbers flagged as scammers by the FCC and requiring measurers to verify the identity of texters, similar to the STIR/SHAKEN system for caller authentication.

The FCC is also taking comments on how AI factors into robocalls and robotexts, both how it’s used to perpetrate them and how the Commission might use AI tools to combat them.

At a House oversight hearing in November, FCC Chairwoman Jessica Rosenworcel asked Congress for the authority to collect the fines the Commission imposes – a job currently left to the DOJ – and access to more financial information to help the agency’s robocall prevention efforts.

The companies, Solid Double and CallWin, are required to block traffic from certain callers identified by the commission’s Enforcement Bureau as bad actors and report those efforts to the FCC in the next two days. Both will also have to detail plans to prevent future robocalls to the commission within 14 days.

“Providers that allow illegal traffic face serious consequences,” FCC Enforcement Bureau Chief Loyaan Egal said in a statement. “We will not hesitate to take decisive action to protect consumers.”

The FCC has indeed taken an aggressive stance on scam calls and text in recent months. In August the commission expanded its STIR/SHAKEN regime, a protocol for verifying caller identities, to all providers handling call traffic and moved in October to blacklist 20 providers for lax robocall prevention policies.

Commissioners also adopted rules at their December open meeting that place more stringent consent requirements on companies looking to send automated calls and texts to customers.

In this case, Solid Double is accused of facilitating spoofed traffic – calls purporting to be from a different number than is actually placing the call – from at least one entity and potentially others, including one the FCC said it identified by the name of “Sham Telecom.”

The business whose number was being used by spoofers alerted the FCC through a spoof reporting portal after receiving calls from targeted consumers, making Solid Double the first provider on the receiving end of an enforcement action initiated by the portal.

As for CallWin, the company is accused of originating robocall campaigns from at least four entities that did not obtain consent from the consumers they targeted.

The commission said in a statement that Solid Double and CallWin could have all their traffic blacklisted if the two providers do not comply with the order. The companies did not immediately respond to requests for comment.

Commissioners asked Congress to take action to further strengthen the agency’s robocall authorities at a House oversight hearing on December 1, including widening the scope of technologies covered by the Telephone Consumer Protection Act and giving the FCC the ability to collect fines from illegal robocallers.

Illegal robocalls are regulated by the Federal Communications Commission through a framework called STIR/SHAKEN, which requires service providers to authenticate calls before they reach a consumer to combat spam and scam calls. 

Ron Thorton, consulting engineer at IT service company United Office, said at the VON Evolution conference last month that calls are often determined to be spam by third party analytics companies based on calling patterns, such as the number of and duration of those calls to decide if a number presents as spam. 

A problem with tagging those calls as spam is that any previous caller identification an individual receives is replaced with a warning label which deters them from picking up the phone and nothing else, said Thorton. 

Those calls, unfortunately, could include ones originating from the doctor’s office or a bank because they have persistent calling patterns that could be labeled as spam. 

Concern about users missing important calls that become tagged as spam has been brought forth in the past by industry experts who felt that intermediate phone operators determining whether or not a call is fit to go through, was problematic.  

“You aren’t giving me all of the information to make my own judgment on this call because you’re basically telling me to ignore it,” added Thornton.  

Jeff Pulver, the founder of VON Evolution, said that this kind of problem erodes the trust people have in the phone calls they get. 

To put autonomy back into consumers hands, Thornton said that going forward, terminating carriers should not entirely replace the caller identification that people receive. 

Thornton explained that terminating carriers should then not be allowed to replace the name of a caller. “If you’re going to put out a potential spam tag…you’ve got to include any name that you can potentially access.”

He added that this kind of oversight may have to come directly from the FCC in the form of caller label regulatory guidelines and should be prompted by complaints from users receiving incorrect calls. 

The caveat he added was that oftentimes the sheer number of trusted callers who are tagged as spam is not properly recorded because people are not picking up those calls in the first place. 

Thornton said that those “calls aren’t picked up so nobody knows the reason it wasn’t picked up is because it was tagged as potential spam.”

To remedy that gap in spam caller information, there needs to be a kind of feedback loop from the terminating provider to the originating provider so that when trusted calls are tagged as spam, people are made aware of it. 

Glenn Richards, partner at Pillsbury Winthrop Shaw Pittman LLP, who spoke at the VON event, previously told Broadband Breakfast that the responsibility of blocking spam calls belongs to the originating service provider and that they should be subject to enforcement. 

At VON, Richards explained that when it comes to robocall enforcement, there is a fine line between stopping fraudulent calls and stopping legitimate calls that need to be answered – a line industry experts were trying to parse out at the event. 

More recently, government figureheads have been calling on the FCC to better their enforcement of robocalls by putting money into enforcement offices or more stringent robocall investigations. 

At its November meeting, the FCC voted to start implementing the use of AI to be able to better detect robocalls and, in October, issued enforcement orders and blocked traffic from nearly 20 providers for having lax robocall regulations.

Commissioners urged Congress to restore the FCC’s authority to action spectrum, which expired in March and left the nation’s airwaves in limbo, and to fund the Affordable Connectivity Program, the low-income internet subsidy set to dry up in April of next year. 

GOP lawmakers FCC Republicans also took the chance to slam efforts by the commission’s Democratic majority.

The discussion touched on other issues including robocall prevention, rip and replace funding, and pole attachments.

Robocalls

The commission has been taking action on preventing robocalls this year, kicking off an inquiry into using artificial intelligence to detect fraud, blocking call traffic from 20 providers for lax enforcement policies and issuing hundreds of millions in fines. In August the commission also expanded the STIR/SHAKEN regime – a set of measures to confirm caller identities – to all providers who handle call traffic.

FCC Chairwoman Jessica Rosenworcel asked multiple times for three Congressional actions she said would help the commission crack down on scam calls: a new definition for “autodialer,” the ability to collect fines, and access to Bank Secrecy Act information.

The Supreme Court limited the definition of autodialers in 2021 to devices that store or produce phone numbers with random or sequential number generators. That leaves the scope of the Telephone Consumer Protection Act, which guides the FCC’s authority, “stuck in the nineties,” according to Rosenworcel.

“A lot of scam artists are using technologies no longer covered” by the act, she said. “We can’t go after them.”

On collecting robocall fines, that authority currently rests with the Department of Justice, and Rosenworcel is not the first to tell Congress the agency’s enforcement has been lax. Industry groups at an October Senate hearing cited slow DOJ action as a major reason FCC fines on the issue often go uncollected.

The Bank Secrecy Act requires financial institutions to keep records on certain transactions to help law enforcement agencies track money laundering and other criminal activity. The FCC cannot access information governed by the act, which Rosenworcel said would help the commission go after repeat scammers.

“These scam artists set up one company, we shut them down, they go and set another one up,” she said.

Rip and replace

Commissioners urged Congress to fund the rip and replace program. Congress allocated $1.9 billion to reimburse broadband companies for replacing network equipment from Chinese companies deemed to be national security threats, mainly Huawei and ZTE.

The FCC was tasked with overseeing the program and found in 2022 that another $3 billion would be needed to get the work done. The Biden administration joined a chorus of lawmakers and broadband companies in calling for Congress to fill the gap, but legislation on the issue has yet to be passed.

“We’re providing 40 cents on the dollar to a lot of small and rural carriers,” said Rosenworcel. “They need more funds to get the job done.”

The commission has been granting extensions to providers unable to get the work done on time. In addition to supply chain issues, some small providers cite a lack of funding as the reason they’re unable to replace insecure equipment.

Pole attachments

Commissioners expressed a willingness to shift some of the burden of utility pole replacements off of broadband providers as they attach new equipment.

“If a pole is getting replaced,” Commissioner Brendan Carr said, “there’s probably a role for the FCC to say that the pole owner should bear somewhere north of the cost of $0.”

The commission has authority in 26 states over most pole attachment deals between utility pole owners and telecommunications companies looking to expand their networks. The issue of who pays for poles that need to be replaced to accommodate more communications equipment is contentious, with telecoms arguing utilities force them to pay for replacing already junk poles. 

After spending years sifting through thousands of comments, commissioners have apparently been persuaded. Rules up for a vote at the commission’s December meeting would limit the scenarios in which utilities could pass full replacement costs on to attachers.

Broadband funding map

Rosenworcel repeatedly asked lawmakers to work with the commission on ensuring its broadband funding map is kept up to date.

The FCC launched its funding map in May to keep track of the myriad federal broadband subsidy efforts and avoid funding the same areas multiple times. The Department of Agriculture, the FCC, and the Treasury Department each oversee separate broadband funding programs, in addition to the Commerce Department’s upcoming $42.5 billion broadband expansion effort.

The commission has signed memoranda of understanding with those agencies on providing data for the funding map, but Rosenworcel asked the subcommittee for help ensuring the agencies follow through and respond to FCC requests for their funding data. 

“If you could help us make sure those other agencies respond to us with data, you’ll see where there are problems, duplication, areas we haven’t reached,” she said.

The BEAD program, which will provide federal grants to states to disperse for broadband projects, requires providers to submit comprehensive cybersecurity plans based on standards from the National Institute of Standards and Technology. Panelists said flexibility in the plans allows customization but also establishes baseline expectations as critical infrastructure relies more on connected technology.

“I think the way that states and entities interpret these BEAD cybersecurity and supply chain requirements is really going to have a ripple effect across the whole community,” said Savannah Schaefer, an attorney of Wilkinson Barker Knauer, who advises clients on cybersecurity.

Federal Communications Commission rules are beginning to include similar mandates, meaning how states implement BEAD’s requirements could influence cybersecurity regulations more broadly, Schaefer said.

Melissa Newman, vice president of government Affairs at the Telecommunications Industry Association, said BEAD’s cybersecurity stipulations cite lengthy federal guidance documents providers must wade through. Her trade group developed a checklist to help companies understand the rules.

“You cannot be confident in the security of your networks and products without consideration of both cyber and supply chain security,” said Newman, TIA’s vice president of government affairs.

Supply chain management, knowing who provides equipment and software, is critical because cybersecurity threats can be embedded throughout a product’s lifecycle, she said.

Evan Rice, senior vice president of Guide Star, a division of CCI Systems, said providers should start by documenting current cyber practices, identifying gaps and making plans to address them. Cybersecurity must be incorporated holistically, from network construction to long-term operation, he said.

“Everyone understands that piece. The cybersecurity is the same. Once you build it, you have to operate it,” said Rice. Schaefer encouraged viewing BEAD as part of an ongoing process of shaping cybersecurity requirements.

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, November 1, 2023 – Cybersecurity and BEAD

To qualify for funding under the Broadband Equity, Access and Deployment program, network operators must submit a comprehensive cybersecurity strategy in line with the National Institute of Standards and Technology’s cybersecurity framework. What impacts do these requirements have on broadband deployers, and what steps can they take to ensure compliance? How can operators strike the right balance between expanding their networks and safeguarding them against cyber threats?

Panelists

• Evan Rice, Senior Vice President, Guide Star
• Savannah Schaefer, Wilkinson Barker Knauer LLP
• Melissa Newman, Vice President of Government Affairs, Telecommunications Industry Association
• Drew Clark (moderator), Editor and Publisher, Broadband Breakfast

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook.

See a complete list of upcoming and past Broadband Breakfast Live Online events.

The ask came Wednesday as part of a $55.9 billion request for domestic aid, including disaster relief and child care subsidies. Also in the White House’s request was $6 billion to continue the Affordable Connectivity Program, the monthly internet subsidy that’s set to dry up in April 2024 without additional funding.

In 2020, Congress required broadband providers to replace equipment from some Chinese companies, including Huawei and ZTE, citing concerns that it could be used for espionage. The effort was funded with $1.9 billion to reimburse companies for the cost of switching out gear.

But in July 2022 the FCC, which oversees the program, said broadband providers would need $4.98 billion to get the work done. There have since been repeated calls from lawmakers and industry to shore up the fund. Bills have been introduced in both the House and Senate to fill the $3 billion gap, but they have yet to be passed.

The deadline for approved companies to request reimbursement for rip and replace work passed on July 15. By default, companies have one year from the approval of that request to remove the Chinese equipment, but the commission has been granting deadline extensions as providers complain of funding troubles.

House Republicans managed to elect a speaker on the same day as the funding request, ending weeks of deadlock.

For its part, the Federal Communications Commission has been taking more aggressive action on fraudulent calls and texts in recent months. The commission moved last week to block call traffic from 20 companies for lax robocall policies, and the agency has issued more than $500 million in fines for scam calls in the last year.

But that has not been enough to curb the longstanding issue, said Senator Ben Ray Luján, D-N.M., said at a Senate subcommittee hearing.

“Scammers used our telecom networks to defraud Amwericans out of an estimated $39 billion in 2022 alone,” he said. “That’s enough money to provide affordable broadband to the 21 million households enrolled in the Affordable Connectivity Program for eight years.”

Very few of the fines issued by the FCC have been collected. For Megan Brown, a lawyer representing the U.S. Chamber of Commerce, that comes down to lax DOJ enforcement. 

Josh Becu, the head of USTelecom’s Industry Traceback Group, agreed, telling the Subcommittee on Communications, Media, and Broadband that Congress should push the DOJ to prioritize robocall enforcement.

“The FCC’s efforts really run out of steam if the [Justice] Department is not there to get them across the finish line and actually collect on some of those forfeitures,” Brown said.

She said Congress could push the Department to prioritize money for robocall investigations and enforcement, or set up a dedicated robocall office. 

Margot Saunders, a senior attorney at the National Consumer Law Center, said the FCC should move faster to block call traffic from offending voice providers in the future. 

“If the FCC were to adopt a system under which it quickly suspends the ability of a voice service provider to participate in the network once that provider is determined to be a repeat offender,” Saunders said, “we think that would be a magic bullet.”

The commission announced yesterday a proposed notice of inquiry seeking comment on using artificial intelligence to root out robocall fraud. Commissioners will vote on the proposal at the FCC’s November 15 open meeting.

Jessica Rosenworcel will be circulating a proposal to get comments on using AI and machine learning to detect fraud, she said on Monday at a fireside chat with AARP policy heads.

AI could be used to detect patterns that indicate potential fraud and “cut those bad actors responsible for robocalls and robotexts off before they ever reach you,” she said.

The proposed inquiry would also seek comment on ways of combating AI-assisted fraud.

Older Americans are especially at risk of losing money to scam phone calls because they are more likely to be isolated, said AARP Texas State Director Tina Tran.

“They want to answer the phone because they want to talk to someone,” she said. “Scammers know this and they really take advantage of it.”

The proposal will be voted on at the commission’s November 15 open meeting. If approved, it will be part of a broader commission effort to combat scam calls and texts.

“This year alone, we’ve issued more than $500 million in fines” for scam calls and texts, Rosenworcel said. 

Most recently, the FCC moved last week to block calls from 20 companies that did not submit adequate robocall policies, in some cases filing blank pages and miscellaneous images instead of fraud prevention plans. If those voice providers do not submit updated plans, they will be removed from the FCC’s Robocall Mitigation Database, meaning other providers must deny their traffic.

The commission also extended in August its STIR/SHAKEN requirements – measures to confirm the identity of callers – to all providers who handle voice traffic.

Policymakers have many decisions to make around artificial intelligence, such as how it can be used in sensitive areas such as financial markets, health care, and national security. They will need to decide intellectual property rights around AI-created content. There will also need to be guardrails to prevent the dissemination of mis- and disinformation. But before we build the second and third story of this regulatory house, we need to lay a strong foundation and that must center around a national data privacy standard.

To understand this bedrock need, it’s important to look at how artificial intelligence was developed. AI needs an immense quantity of data. The generative language tool ChatGPT was trained on 45 terabytes of data, or the equivalent of over 200 days’ worth of HD video. That information may have included our posts on social media and online forums that have likely taught ChatGPT how we write and communicate with each other. That’s because this data is largely unprotected and widely available to third-party companies willing to pay for it. AI developers do not need to disclose where they get their input data from because the U.S. has no national privacy law.

While data studies have existed for centuries and can have major benefits, they are often centered around consent to use that information. Medical studies often use patient health data and outcomes, but that information needs the approval of the study participants in most cases. That’s because in the 1990s Congress gave health information a basic level of protection but that law only protects data shared between patients and their health care providers. The same is not true for other health platforms, like fitness apps, or most other data we generate today, including our conversations online and geolocation information.

Currently, the companies that collect our data are in control of it. Google for years scanned Gmail inboxes to sell users targeted ads, before abandoning the practice. Zoom recently had to update its data collection policy after it was accused of using customers’ audio and video to train its AI products. We’ve all downloaded an app on our phone and immediately accepted the terms and conditions window without actually reading it. Companies can and often do change the terms regarding how much of our information they collect and how they use it. A national privacy standard would ensure a baseline set of protections no matter where someone lives in the U.S. and restrict companies from storing and selling our personal data.

Ensuring there’s transparency and accountability in what data goes into AI is also important for a quality and responsible product. If input data is biased, we’re going to get a biased outcome, or better put ‘garbage in, garbage out.’ Facial recognition is one application of artificial intelligence. Largely these systems have been trained by and with data from white people. That’s led to clear biases when communities of color interact with this technology.

The United States must be a global leader on artificial intelligence policy but other countries are not waiting as we sit still. The European Union has moved faster on AI regulations because it passed its privacy law in 2018. The Chinese government has also moved quickly on AI but in an alarmingly anti-democratic way. If we want a seat at the international table to set the long-term direction for AI that reflects our core American values, we must have our own national data privacy law to start.

The Biden administration has taken some encouraging steps to begin putting guardrails around AI but it is constrained by Congress’ inaction. The White House recently announced voluntary artificial intelligence standards, which include a section on data privacy. Voluntary guidelines don’t come with accountability and the federal government can only enforce the rules on the books, which are woefully outdated.

That’s why Congress needs to step up and set the rules of the road. Strong national standards like privacy must be uniform throughout the country, rather than the state-by-state approach we have now. It has to put people back in control of their information instead of companies. It must also be enforceable so that the government can hold bad actors accountable. These are the components of the legislation I have introduced over the past few Congresses and the bipartisan proposal the Energy & Commerce Committee advanced last year.

As with all things in Congress, it comes down to a matter of priorities. With artificial intelligence expanding so fast, we can no longer wait to take up this issue. We were behind on technology policy already, but we fall further behind as other countries take the lead. We must act quickly and set a robust foundation. That has to include a strong, enforceable national privacy standard.

Congresswoman Suzan K. DelBene represents Washington’s 1st District in the United States House of Representatives. This piece was originally published in Newsweek, and is reprinted with permission. 

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.

The FCC released a notice of proposed rulemaking in June that would strengthen the consumers’ ability to revoke consent to receive robocalls and robotexts. It would ensure consumers can easily revoke consent to receive robocalls, require that callers honor do-not –call requests within 24 hours and allow wireless consumers the option to stop robocalls and robotexts from their own wireless provider.  

ACA International, a trade group for the debt collection industry, in conjunction with the Credit Union National Association recommended that the FCC codify reasonable limits on the methods of revocation of consent for robocalls and texts.  

The law, as currently written, would “ensure that revocation of consent does not require the use of specific words or burdensome methods” and codify a 2015 ruling that consumers who have provided consent may revoke it through any reasonable means. ACA International and CUNA asked the FCC to acknowledge the realities of revocation processes. 

“Automated processes cannot be programmed to recognize a virtually infinite combination of words and phrases that could reasonably be interpreted as a clear expression of consumers desire to stop further communications,” it said. The FCC should specify “reasonable means that callers can prescribe, such as a limited set of keyworks that are common synonyms of STOP, which is the universally recognized method to prevent further text messages.” 

Cable industry wants guidance on ‘reasonable methods’

Steven Morris, vice president at NCTA, the Internet and Television Association, added his support that the FCC should provide additional guidance on what it defines as “reasonable methods” of revoking consent and allow callers 72 hours to process opt-out requests. It also suggested that the FCC adopt its proposal to permit one-time texts seeking clarification on the scope of an opt-out request. 

“The FCC’s proposal that consumers be able to revoke consent using ‘any telephone number or email address at which the consumer can reasonably expect to reach the caller’ would also be incredibly complex and likely impossible to effectively administer,” NCTA said. 

Wireless trade association CTIA’s manager of regulatory Affairs Courtney Tolerico said in comments that the proposal severely limits providers ability to send important, service-related communications to subscribers and incentives providers to apply opt-outs unnecessarily broadly, further limiting these beneficial communications and “downgrading the wireless customer experience.” 

It claimed that “even if the FCC had such authority, doing so in the absence of demonstrated consumer harm would be arbitrary and capricious,” saying that the agency does not have reason to enforce laws that would hamper wireless carrier’s ability to serve customers. 

Verizon’s general counsel, Christopher Oatway, expressed the same sentiment, claiming that the FCC “provides no basis to conclude that wireless carriers are abusing their subscribers with unwanted calls or texts.” 

The proposal would “undermine the unique relationship between providers and their customer for wireless service, which today is crucial to Americans’ ability both to conduct their everyday lives as well as to access emergency services and government benefits,” said Verizon. It referred to federal programs like lifeline and ACP that promote connectivity, claiming that its communications with its own customers educates on federal benefit programs. 

‘No incentive’ for abuse by wireless providers, says AT&T

Gregory Romano, vice president and deputy general counsel at AT&T added that “there is no incentive for wireless providers to abuse the current wireless carrier exception,” referring to wireless carriers’ ability to contact their own customers. “The marketplace for consumer wireless service is highly competitive. Wireless providers do not want to annoy their customers with too many messages, or the provider is at risk of losing the customer to a competitor, which is clearly not in the provider’s interest.” 

In June, commenters pushed back against FCC proposed rules that would require mobile wireless providers to ban marketers from contacting a consumer multiple times based on one consent, claiming it will harm legitimate communications. 

Proposed rules are in response to the rising number of telemarketing and robocalls, sated the notice of proposed rulemaking.  

The new rules will set additional protections that would require the terminating provider to block texts after notification from the FCC that the text is illegal, to extend the National Do-Not-Call Registry’s protections to text messages, and to ban the practice of marketers purporting to have written consent for numerous parties to contact a consumer based on one consent. Comments on the proposal were due in May and reply comments on June 6.

“Robocall campaigns often rely on flimsy claims of consent where a consumer interested in job listings, a potential reward, or a mortgage quote, unknowingly and unwillingly ‘consents’ to telemarketing calls from dozens – or hundreds or thousands – of unaffiliated entities about anything and everything,” read the comments from USTelecom trade association.  

Wireless trade association CTIA cited that Medicaid text messages that alert customers to critical health updates may be blocked by the ruling despite the FCC’s acknowledgement that these texts are critical. Many providers are unbending in enforcing robotext policies that mandate agencies must “satisfactorily demonstrate they receive prior express consent from enrollees to contact them.” 

CTIA’s comments claimed that the proposed rules would “do little to enhance existing industry efforts to reduce text spam or protect consumers.” 

Competitive networks trade association INCOMPAS claimed that the current framework is not well suited to allow the industry to universally resolve text messaging issues. “In the absence of standardized, competitively neutral rules, the current dynamics create perverse incentives that allow gamesmanship and arbitrage schemes as well as fraudulent behaviors to thrive.” 

USTelecom commended the FCC for taking these steps and suggested that it expressly ban the practice of obtaining single consumer consent as grounds for delivering calls to multiple receivers by issuing a decisive declaration rather than a rule change. Providing clear guidance will deprive aggressive telemarketers of the plausible deniability they rely on to put calls through, it said. 

The new language proposed in the notice is unnecessary and runs the risk of introducing new ambiguity by not eliminating perceived loopholes through a decisive declaration, read its comments. 

The Retail Industry Leaders Association claimed that the notice would “primarily and negatively impact those who send legitimate text message solicitations, not scam senders and bad actors.” The well-intentioned measures will sweep in legitimate text communications, it claimed, by reducing consumer control and making assumptions on their behalf. 

“Consumers use the DNC list to prevent unwanted telephone call solicitations. They do not expect that the DNC List will prevent normal and desired communications from legitimate businesses like RILA members,” it wrote.

In the event the FCC moves forward with the proposed rules, the RILA urged that the rules include “clear carve-outs or safe harbors” for legitimate solicitations. 

This comes as the FCC considers additional proposed rules that will strengthen consumer consent for robocalls and robotexts by allowing consumers to decide which robocalls and texts they wish to receive.

The draft proposals will not protect consumers and instead will “limit the ability of consumers to receive important, time-sensitive information about their wireless service,” said CTIA. These time-sensitive messages can include bill reminders, international roaming alerts, and fraud alerts, among others.  

The notice as currently written does not acknowledge any record support, policy reason or benefits that the proposed limitations to the current framework would deliver, read the report by CTIA. 

CTIA urged the FCC to add questions to the notice to clarify the unique relationship between wireless service providers and their consumers and the substantial consumer benefits that have resulted under the current framework. 

The action is a response to the rising number of telemarketing and robocalls, stated the Notice. “We believe the rules the commission adopts here strike an appropriate balance between maximizing consumer privacy protections and avoiding imposing undue burdens on telemarketers,” read the Notice. 

The Notice seeks to revise the current Telephone Consumer Protection Act rules and adopt new ones that would provide consumers with options for avoiding unwanted telephone solicitations. The ruling would include a national do-not-call registry for all telemarketing calls. 

Proponents of a TikTok ban argue that the app poses an “untenable threat” because of the amount of data it collects — including user location, search history and biometric data — as well as its relationship with the Chinese government, said Joel Thayer, president of the Digital Progress Institute, at a debate hosted Wednesday by Broadband Breakfast.

These fears have been cited by state and federal lawmakers in a wide range of proposals that would place various restrictions on TikTok, including a controversial bill that would extend to all technologies connected to a “foreign adversary.” More than two dozen states have already banned TikTok on government devices, and Montana recently became the first state to ban the app altogether.

TikTok on Monday sued Montana over the ban, arguing that the “unprecedented and extreme step of banning a major platform for First Amendment speech, based on unfounded speculation about potential foreign government access to user data and the content of the speech, is flatly inconsistent with the Constitution.”

Thayer contested the lawsuit’s claim, saying that “the First Amendment does not prevent Montana or the federal government from regulating non expressive conduct, especially if it’s illicit.”

However, courts have consistently held that the act of communicating and receiving information cannot be regulated separately from speech, said David Greene, civil liberties director and senior staff attorney at the Electronic Frontier Foundation.

“This is a regulation of expression — it’s a regulation of how people communicate with each other and how they receive communications,” he said.

Stringent regulations could protect privacy without suppressing speech

A complete ban of TikTok suppresses far more speech than is necessary to preserve national security interests, making less intrusive options preferable, said Daniel Lyons, nonresident senior fellow at the American Enterprise Institute.

TikTok is currently engaged in a $1.5 billion U.S. data security initiative that will incorporate several layers of government and private sector oversight into its privacy and content moderation practices, in addition to moving all U.S. user data to servers owned by an Austin-based software company.

This effort, nicknamed Project Texas, “strikes me as a much better alternative that doesn’t have the First Amendment problems that an outright TikTok ban has,” Lyons said.

Greene noted that many online platforms — both within and outside the U.S. — collect and sell significant amounts of user data, creating the potential for foreign adversaries to purchase it.

“Merely focusing on TikTok is an underinclusive way of addressing these concerns about U.S. data privacy,” he said. “It would be really great if Congress would actually take a close look at comprehensive data privacy legislation that would address that problem.”

Greene also highlighted the practical barriers to banning an app, pointing out that TikTok is accessible through a variety of alternative online sources. These sources tend to be much less secure than the commonly used app stores, meaning that a ban focused on app stores is actually “making data more vulnerable to foreign exploitation,” he said.

TikTok risks severe enough to warrant some action, panelists agree

Although concerns about suppressing speech are valid, the immediate national security risks associated with the Chinese government accessing a massive collection of U.S. user data are severe enough to warrant consideration of a ban, said Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute.

“Will it hurt people who are building businesses from it? Absolutely,” he said. “But until we have safeguards in place, we need to be cautious about business as usual.”

These safeguards should include security audits, data flow monitoring and online privacy legislation, Dahbura continued.

Thayer emphasized the difference between excessive data collection practices and foreign surveillance.

“I think we all agree that there should be a federal privacy law,” he said. “That doesn’t really speak to the fact that there are potential backdoors, that there are these potential avenues to continue to surveil… So I say, why not both?”

Lyons agreed that TikTok’s “unique threat” might warrant action beyond a general privacy law, but maintained that a nationwide ban was “far too extreme.”

Even if further action against TikTok is eventually justified, Greene advocated for federal privacy legislation to be the starting point.  “We’re spending a lot of time talking about banning TikTok, which again, is going to affect millions of Americans… and we’re doing nothing about having data broadly collected otherwise,” he said. “At a minimum, our priorities are backwards.”

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, May 24, 2023 – Debate: Should the U.S. Ban TikTok?

Since November, more than two dozen states have banned TikTok on government devices. Montana recently became the first state to pass legislation that would ban the app altogether, and several members of Congress have advocated for extending a similar ban to the entire country. Is TikTok’s billion-dollar U.S. data security initiative a meaningful step forward, or just an empty promise? How should lawmakers navigate competing concerns about national security, free speech, mental health and a competitive marketplace? This special session of Broadband Breakfast Live Online will engage advocates and critics in an Oxford-style debate over whether the U.S. should ban TikTok.

Panelists

Pro-TikTok Ban

• Anton Dahbura, Executive Director, Johns Hopkins University Information Security Institute
• Joel Thayer, President, Digital Progress Institute

Anti-TikTok Ban

• David Greene, Civil Liberties Director and Senior Staff Attorney, Electronic Frontier Foundation
• Daniel Lyons, Nonresident Senior Fellow, American Enterprise Institute

Moderator

• Drew Clark, Editor and Publisher, Broadband Breakfast

Anton Dahbura serves as co-director of the Johns Hopkins Institute for Assured Autonomy, and is the executive director of the Johns Hopkins University Information Security Institute. Since 2012, he has been an associate research scientist in the Department of Computer Science. Dahbura is a fellow at the Institute of Electrical and Electronics Engineers, served as a researcher at AT&T Bell Laboratories, was an invited lecturer in the Department of Computer Science at Princeton University and served as research director of the Motorola Cambridge Research Center.

Joel Thayer, president of the Digital Progress Institute, was previously was an associate at Phillips Lytle. Before that, he served as Policy Counsel for ACT | The App Association, where he advised on legal and policy issues related to antitrust, telecommunications, privacy, cybersecurity and intellectual property in Washington, DC. His experience also includes working as legal clerk for FCC Chairman Ajit Pai and FTC Commissioner Maureen Ohlhausen.

David Greene, senior staff attorney and civil liberties director at the Electronic Frontier Foundation, has significant experience litigating First Amendment issues in state and federal trial and appellate courts. He currently serves on the steering committee of the Free Expression Network, the governing committee of the ABA Forum on Communications Law, and on advisory boards for several arts and free speech organizations across the country. Before joining EFF, David was for twelve years the executive director and lead staff counsel for First Amendment Project.

Daniel Lyons is a professor and the Associate Dean of Academic Affairs at Boston College Law School, where he teaches telecommunications, administrative and cyber law. He is also a nonresident senior fellow at the American Enterprise Institute, where he focuses on telecommunications and internet regulation. Lyons has testified before Congress and state legislatures, and has participated in numerous proceedings at the Federal Communications Commission.

Drew Clark (moderator) is CEO of Breakfast Media LLC. He has led the Broadband Breakfast community since 2008. An early proponent of better broadband, better lives, he initially founded the Broadband Census crowdsourcing campaign for broadband data. As Editor and Publisher, Clark presides over the leading media company advocating for higher-capacity internet everywhere through topical, timely and intelligent coverage. Clark also served as head of the Partnership for a Connected Illinois, a state broadband initiative.

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook.

See a complete list of upcoming and past Broadband Breakfast Live Online events.

While Jeetu Patel, general manager of security at the information technology giant, didn’t specify what types of incentives can be used, he said the incentives must push private infrastructure to have high security standards. 

Both private and public sectors have a part to play in improving the nation’s security, he noted, adding private companies must build products that are secure by design. 

There is “tremendous” need for cross-nation coordination around cyberattacks, said Patel. He urged lawmakers to democratize cybersecurity by simplifying the process, adding the nation must be united to gain traction against attackers.

The cybersecurity industry has not made conversations simple to follow or technology easy to use, he said. Simplifying cybersecurity is the only way we can democratize it and when it’s democratized, it can be made universal, said Patel. 

He warned that the country cannot let the financial constraints of a few companies put the whole system at risk. Regardless of how affluent a country is, the weakest link controls the strength of the chain, he said. 

Artificial Intelligence will change cybersecurity fundamentally, he noted. It is important to remember that AI tools are also available to attackers. Currently, the majority of attacks stem from fraudulent emails which AI can make more personalized and difficult to discern from real communication, he said.  

Cybersecurity defenses must evolve

We need to develop an idea of civic responsibility for tech innovators and students in STEM fields, added Suzanne Spaulding, senior advisor of Homeland Security at the Center for Strategic and International Studies. Civic responsibility is the antidote to disinformation and is the change central to democracy, she continued.  

Spaulding warned companies against relying on existing cybersecurity measures. Resilience is about having layers of plans and assuming they all will fail, she said.  

This comes at a time of Congressional focus on cybersecurity. In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

In 2021, President Joe Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020.   

Malicious actors are targeting U.S. infrastructure, said witnesses. In 2021, President Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020. 

In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

The Administration for Strategic Preparedness and Response addresses increasingly sophisticated and frequent attacks on hospital and public health centers by providing each hospital with personalized and specific instruction on mitigation and disaster response best practices. 

Cyberattacks on hospitals have a negative effect on the surrounding area similar to that of a natural disaster, claimed Brain Mazanec, deputy director of the Office of Preparedness at ASPR. There have been more than double cyber-attacks on hospitals from 2016 to 2021, he said. 

The Environmental Protection Agency is responsible for addressing water system cyberattacks, said David Travers, director of Water Infrastructure and Cyber Resilience Division at EPA. The EPA’s Evaluating Cybersecurity guidance is intended to assist states with building their own secure systems for water and sewer systems.  

It is essential that sector specific agencies develop strong relationships with sectors under their jurisdiction well before disastrous incidents occur, said Puesh Kumar, director of the office of cybersecurity at the Energy Security and Emergency Response at the Department of Energy. 

The Energy and Commerce Committee also participated in a markup of the Energy Emergency Leadership Act Tuesday which would amend the Department of Energy Organization Act to elevate the leadership of the DOE’s emergency response and cybersecurity functions. 

“Establishing assistant-secretary leadership at the department will reflect the importance of managing this threat,” said Subcommittee on Energy, Climate, and Grid Security Chair Jeff Duncan. 

The Act passed on unanimous vote to report to the full committee without amendment. 

Duncan also emphasized the importance of a strong domestic supply chain, calling for a “‘Made in America’ system for nuclear fuel” in order to “give the domestic industry the market certainty they need to invest and build out the necessary infrastructure.”

On June 27, Broadband Breakfast’s Made in America Summit will examine energy infrastructure and international supply chain issues in depth.

Experts have warned that the $200 billion industry poses a grave threat to digital privacy, particularly for children and other vulnerable populations — sparking renewed calls for comprehensive federal privacy legislation at a hearing convened Thursday by the Oversight and Investigations Subcommittee.

“A staggering amount of information is collected on Americans every day, frequently without their knowledge or consent,” said Subcommittee Chair Morgan Griffith, R-Va. “This data then gets shared, analyzed, combined with other data sets, bought and sold. In some cases, this data is not even anonymized… There is a complete lack of safeguards.”

Data collection extends far beyond the information that most consumers are willing to enter into online forms, said Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy.

Using a variety of prediction tools, Sherman explained, data brokers infer and then sell sensitive personal information that a consumer might never have explicitly provided — for example, inferring a certain health condition based on visits to a relevant medical facility.

“These analytical tools render the factual context fundamentally different,” said Laura Moy, faculty director of the Georgetown Law Center’s Center on Privacy & Technology. “Maybe having a list of addresses on paper at one time was something that didn’t give people much cause for concern. Now those lists of historical address information can be mined to learn information about people’s relationships and their religion and their habits.”

Data brokers fuel discrimination and exploitation, witnesses say

The broad scope of data collected by brokers includes “race, religion, gender, sexual orientation, income level, how you vote, what you buy, what videos you watch, what prescriptions you take, and where your kids and grandkids go to school,” Sherman said. “This harms every American, especially the most vulnerable.”

Throughout the hearing, experts and lawmakers highlighted stories of recovering gambling addicts bombarded with sports betting ads, elderly Alzheimer’s patients targeted by predatory scammers and other examples of exploitation fueled by data brokers.

“The more you know about someone, the more you can manipulate them,” said Marshall Erwin, chief security officer of Mozilla. “You can target your message to exactly who you want, who you want, and in some cases that can be fine… but in other cases it can be terribly problematic.”

A particularly dangerous category of data brokerage takes the form of people search sites, which compile and sell millions of individuals’ data profiles. “Abusive individuals for decades have bought this data to hunt down and stalk, harass and even murder other people — predominantly women and members of the LGBTQ+ community,” Sherman said.

In addition, data brokers enable housing and employment discrimination by facilitating specific demographic targeting and exclusion — practices that are functionally comparable to historical redlining, Erwin explained.

Awaiting ADPPA reintroduction, lawmakers focus on children’s privacy

Out of all the potential harms caused by excessive data collection and sale, several lawmakers emphasized the urgency of protecting children’s online safety.

“There are few things more concerning to me… We know that Big Tech has enabled advertisers to target children for a whole range of damaging products, ranging from tobacco and e-cigarettes to low-calorie diets that can create and exacerbate body image anxieties,” said Rep. Kathy Castor, D-Fla., ranking member of the subcommittee.

Moy agreed, noting that it can be nearly impossible to delete a piece of information from the internet once it has been captured by a data broker, it can be nearly impossible to delete it. “It might exist in databases forever, and so I absolutely think children lack the capacity to consent… there should be a retention limit on information that is collected,” she said.

Castor on Monday reintroduced the Protecting the Information of our Vulnerable Adolescents, Children and Youth Act, a bill that would build on the Children’s Online Privacy Protection Act by prohibiting targeted advertisements to underage consumers and expanding protections for 13 to 17-year-olds.

The Kids PRIVACY Act is one of many recent proposals aimed at safeguarding children online, alongside the STOP CSAM Act introduced April 19 by Sen. Dick Durbin, D-Ill., and the controversial Kids Online Safety Act, which Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., are expected to reintroduce in the coming days.

Several lawmakers at Thursday’s hearing also voiced their support for the bipartisan American Data Privacy and Protection Act, which failed to pass in 2022 after then-Speaker Nancy Pelosi, D-Calif., opposed its preemption of state privacy laws.

In the absence of comprehensive federal legislation, both businesses and consumers must struggle to navigate a “patchwork of state laws and narrow protections that leave a wide swath of our neighbors vulnerable to privacy abuses — including by data brokers,” Castor said.

On April 19, Reps. Anna Eshoo and Zoe Lofgren, both California Democrats, reintroduced their Online Privacy Act with an amendment framing the legislation as a federal floor rather than a ceiling — potentially providing a framework for the next iteration of the ADPPA to address their state’s preemption concerns.

“The days of handling the internet as the all-democratizing force is behind us, and now there needs to be a real role for the government,” said Priya Vora, managing director of the Digital Impact Alliance.

The public sector’s challenge is to find effective solutions for all of the practical questions that arise alongside technological developments, Vora continued.

“How do you create a data protection authority with budget and staffing independence from the administration?” she asked. “How do you create redressal systems that are responsive, especially when you have a judicial system that’s very slow? How might you put online dispute resolution baked into your technology layers?”

The private sector should also play a role in the development and regulation of digital infrastructure, said Tim Murphy, chief administrative officer at MasterCard. “There’s things that are best in the public sector, but there’s things we can do better as well, and trying to advance the conversation about where private can make a constructive contribution in the context of a regulated market is something that is critical to our future.”

Building public trust is an essential step toward successful digital infrastructure development for both government entities and private tech companies, said Arturo Herrera Gutiérrez, global director for governance at the World Bank.

Many modern challenges call for “not only a technical solution, but they actually require an engagement strategy with the citizens,” Gutiérrez explained. “It’s not sufficient to bring what’s the best solution — it’s important to explain to them why the solution is good for them.”

‘Regulatory umbrella’ could fight digital fragmentation

Concerns about digital privacy and data security currently present some of the biggest barriers to public trust in emerging technologies. While acknowledging the United States as a hub for technological innovation, panelists pointed to the European Union as the global leader in data privacy protections.

“The whole next wave of innovation should really be about giving more tools of transparency and control to people,” Vora said.

MasterCard has implemented standards similar to the European Union’s General Data Protection Regulation around the world, Murphy said. “We need to be laser focused on highest global standards on privacy… even though it’s not required,” he said.

In addition to potentially harming user trust, the significant regulatory discrepancies between various countries and states contributes to digital fragmentation — which disrupts global businesses, restricts cross-border data flow and limits user choice.

“We need to be very careful and thoughtful about the kind of world we’re creating in terms of digital fragmentation,” Murphy said.

“A sort of regulatory umbrella — not to stifle innovation, but to have some basic agreed-to rules of the road — is incredibly important,” agreed Josh Lipsky, senior director of the Atlantic Council’s GeoEconomics Center.

Vora noted that these regulatory challenges will only become more complicated as digital globalization increases. The rapid headway of generative artificial intelligence technologies will likely “put all of this on steroids,” she added.

Murphy called for public and private sector stakeholders to come together and thoughtfully consider how to best regulate rapidly evolving technologies such as artificial intelligence.

“Anyone who tells you they’ve got the answers on how to navigate generative AI and so on is selling something, and that really needs our careful attention,” he said.

In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.

This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”

“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”

The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.

In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.

As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.

“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.

Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”

The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.

FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.

“Robocalls have completely undermined the value of the U.S. telephone system,” said Margot Saunders, senior attorney at the National Consumer Law Center. “The system is losing value and that’s hurting all of us — especially businesses and health professionals who are trying to reach people in health emergencies.”

In addition to being an annoyance, fraudulent robocalls are expected to cost mobile subscribers more than $58 billion in 2023 alone, Saunders added.

The Federal Communications Commission voted Thursday to expand the STIR/SHAKEN robocall regime to include providers that receive and deliver phone traffic. Previously, the rules only applied to voice service providers that originate and terminate calls.

“This was a gap in our rules, a way to let junk calls sneak into our networks and reach unassuming consumers,” FCC Chairwoman Jessica Rosenworcel said in a statement. “No more. Today we close this loophole and require intermediate providers… to use STIR/SHAKEN. We also insist that they, along with all other providers, register in our Robocall Mitigation Database.”

Downstream carriers will be prohibited from accepting calls from intermediate providers not listed in the database, Rosenworcel added.

“In my almost 38 years of practice, I have never seen the FCC actually produce more rules and regulations around a single issue in a shorter time as they have with robocalling,” said Glenn Richards, partner at Pillsbury Winthrop Shaw Pittman LLP, at the Broadband Breakfast event.

Panelists disagree about efficacy of STIR/SHAKEN

Despite the FCC’s efforts, some of the initiatives intended to combat robocalling have resulted in more harm than good, claimed Jonathan Marashlian, managing partner at The CommLaw Group.

“STIR/SHAKEN is not the answer,” Marashlian said. “Maybe it was a very small incremental step in a positive direction, but there are so many holes in the framework from just a sheer technological standpoint.”

Vonage Founder Jeff Pulver agreed that STIR/SHAKEN has proven ineffective. “We’re living in an era where we should be able to communicate more, not less,” he said. “Yet the shenanigans that have been going on have actually dramatically reduced call completion rates.”

But other panelists were more optimistic. Richards argued that it was too early to deem STIR/SHAKEN a failure, noting that some problems — such as traffic originating from overseas call centers — are not entirely within the FCC’s control.

“STIR/SHAKEN is by no means a failure — it is an essential element of the full response needed… but it is only one,” Saunders said. “If you have a panoply of problems and you close the door against one of them and leave the other door open, you haven’t solved the problem because all the bad players will simply come in through the other door.”

The fact that VoIP providers are allowed to rent phone numbers to telemarketers and scammers “completely undermines the whole purpose of STIR/SHAKEN,” Saunders added.

Which party is responsible for blocking robocall traffic?

In determining responsibility for bad traffic, Saunders drew an analogy to a grocery story that repeatedly sold spoiled milk from a variety of different brands. “The authorities would go down and say, ‘Grocery store, if you can’t stop selling bad milk because you can’t control your suppliers, we’re going to shut you down,’” she said. “In the end, it’s the terminating providers’ job, we think, to police the providers from whom they accept calls.”

Richards took a different approach. “I think the obligation really belongs to the originating service provider to taste the milk before they send the call,” he said. “There’s probably a relatively small number of originating service providers that are responsible for a large number of the illegal fraudulent traffic that is getting into the United States… and frankly, I think it’s important that those parties probably are the ones that are subject to enforcement.”

While Saunders agreed that the originating providers would ideally be held liable, she noted that “this problem has been going on for years and we’ve not been able to catch them.” Holding the terminating partners accountable, she said, would provide a more effective and pragmatic solution.

Pulver proposed a system where the caller party would pay and the destination party would set the price for call completion. In addition, he said, consumers should be empowered with tools such as “personal communication firewalls” that would allow individuals to block all unrecognized traffic.

Richards also promoted consumer choice, but noted that “not all consumers have that same technical capability — and particularly older consumers, who are the targets of a lot of these nefarious practices — so having the carriers intervene make some sense.”

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, March 22, 2023, 12 Noon ET – Robocalls, STIR/SHAKEN and the Future of Voice Telephony

The Federal Communications Commission calls the fight against illegal robocall traffic its “top consumer protection priority.” The agency’s March 16 meeting heard discussion of several proposed rules to strengthen STIR/SHAKEN, from requiring intermediate providers to authenticate certain calls to adopting more robust enforcement tools. Required by the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019, has the FCC succeeded in making the STIR/SHAKEN framework work? Or is voice telephony still at the mercy of robocallers?

• Margot Saunders, Senior Attorney, National Consumer Law Center
• Jeff Pulver, Founder, Vonage
• Glenn Richards, Partner, Pillsbury Winthrop Shaw Pittman LLP
• Jonathan Marashlian, Managing Partner, The CommLaw Group
• Drew Clark (moderator), Editor and Publisher, Broadband Breakfast

Panelist resources

• Legislating to Stop the Onslaught of Annoying Robocalls, Margot Saunders, April 30, 2019
• Illegal Robocalls: Calling All to Stop the Scourge, Margot Saunders, April 11, 2019 
• FCC Expands Robocall Regime to Intermediaries, Establishes Robotext Protections, Broadband Breakfast, March 16, 2023
• VON Evolution Conference Will Address Intersection of Telecom, AI, 5G and Blockchain, Broadband Breakfast, March 21, 2023
• U.S. Robocall Mitigation Ecosystem Demands All Telecommunications Companies Pay Attention as New Threats Emerge and Compliance Balloons Well Beyond Mere FCC Compliance, The CommLaw Group
• CommLaw Group Robocall Mitigation Response Team
• Introduction to CommLaw Commpliance Group

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook.

See a complete list of upcoming and past Broadband Breakfast Live Online events.

“States have realized that the federal government is going to be very slow in acting in this area,” said James Czerniawski, senior policy analyst at Americans for Prosperity. “So they’re going to try to take the lead here.”

Speaking at a Cato Institute forum on Wednesday, Czerniawski described the two competing approaches that have emerged among the various state laws and proposals.

The first is typified by California’s Age Appropriate Design Code Act, passed in August 2022, which requires that online platforms proactively prioritize the privacy of underage users by default and by design. Many aspects of the law are modeled after the United Kingdom’s Online Safety Bill, a controversial proposal that would establish some of the world’s most stringent internet regulations.

The second approach focuses on age verification, such as Utah legislation that will require social media companies to verify the age of Utah residents before allowing them to create or keep accounts.

In addition to those two core directions, many of the state proposals have their own unique twists, Czerniawski said. For example, the Utah legislation prohibits any design choice that “causes a minor to have an addiction to the company’s social media platform.” While the bill has not yet been signed, Gov. Spencer Cox has previously indicated his intent to do so.

For online platforms that operate nationally or internationally, complying with a growing range of disparate state privacy laws will only become more complicated, Czerniawski said. “This patchwork doesn’t work.”

Potential unintended consequences for free speech, competition and privacy

Some experts have raised concerns that legislation intended to protect children online could have unintended consequences for the privacy and speech rights of adult users.

Matthew Feeney, head of technology and innovation at the Centre for Policy Studies, argued that a heavy compliance burden could incentivize online platforms to over-moderate content. “Given the punitive fines attached to the Online Safety Bill, I think they will engage in an abundance of caution and remove a lot of legal and valuable speech.”

The task of determining which users are underage and then figuring out how to prevent them from seeing any harmful content presents a significant challenge for platforms that host a massive amount of user-generated content, Feeney said.

“Something that’s very crucial to understand is that if you require firms to treat children differently, then you’re asking them to find out which of their users are children — and that is not free; that is a cost,” he added. “And for many firms, I think it will just be cheaper to err on the side of caution and assume all users are children.”

In addition to the implications for online speech, Feeney expressed concern that the regulatory burden adds a “very worrying anti-competitive element” to the legislation. “Most of the companies that will be in scope do not have the army of lawyers and engineers that Meta and Google have,” he said.

While the age verification measures might be easier in terms of compliance, Feeney said, they might ironically create their own risk to children’s online privacy by mandating the collection of highly identifying data.

Czerniawski agreed, specifically pointing to TikTok. “From a privacy standpoint, it seems a little odd that we want to have a company that currently has some security concerns collecting more information on kids in order to continue operating in the country,” he said.

Despite agreeing that there may be legitimate concerns about TikTok’s privacy practices, Czerniawski again argued that many of the proposed solutions — such as a complete national ban — fail to address the actual problem.

“If you’re truly concerned about the privacy issues that TikTok has raised, that’s why… we need a federal data privacy law passed, right? I think that that can go a long way towards solving a lot of those issues,” he said.

In terms of child-specific legislation, Czerniawski called for a more narrowly targeted approach to address problems such as the proliferation of online child sexual abuse material without risking the privacy and free speech rights of all other internet users. “We have to be very serious when we’re looking at trade-offs that are involved here,” he said.

Under the previous rules, only voice service providers that originate and terminate calls were required to implement analytical tools that are intended to ensure, among other things, that the phone numbers appearing on caller I.D. are actually from the holder of the number to stop scam calls. But the STIR/SHAKEN robocall regime, which the commission began to enforce in June 2021, did not extend to the middlemen, or intermediary, providers.

That changed Thursday when the commission voted unanimously to broaden the regime to first intermediaries. The commission said that there are still some initiating call providers who are not capable of using the STIR/SHAKEN framework and still others who deliberately fail to authenticate the calls, hence why authentication should be implemented along the call traffic route, the commission said.

“By requiring the next provider in the call path to authenticate those calls, the FCC closes a gap in the caller ID authentication regime and facilitates government and industry efforts to identify and block illegal robocalls,” the commission said in a news release.

As such, intermediary service providers that fail to comply with the new rules will now also be subject to removal from the Robocall Mitigation Database, which would mean other providers would not be able to receive their call traffic.

The FCC noted that the new rules, which require the intermediaries to comply with by December 31, would “maximize” the number of authenticated calls.

In addition, the new FCC rules require all voice service providers to take “reasonable steps” to mitigate illegal robocall traffic and submit to the commission a certification and mitigation plan that would also include details about the provider’s role in the call chain, STIR/SHAKEN implementation obligations, and any law enforcement, regulatory or investigation into such illegal calls.

The commission has taken aggressive action in recent months against providers who have allegedly been non-complaint with the regime, including proposing record fines and forcing other providers to halt driving to and receiving traffic from offenders.

The rules impose fines on a per call basis and establish enforcement consequences for repeat offenders.

Illegal robocalls are number one complaint the FCC hears about from consumers, according to the commission.

FCC adopts first rules on robotexts and asks about further regulatory measures

The commission also unanimously adopted rules against scam text messages sent to consumers and is asking the public about further regulator actions it should take to protect against the texts.

The order adopted Thursday would require mobile service providers to block text messages that are “highly likely to be illegal,” including from phone numbers that are “invalid, unallocated, or unused.” The rules will also apply to numbers whom the subscriber said it never used to send text messages and to those of government agencies that identify the numbers as not being used for texting. It also requires the providers establish a point of contact for text senders, which senders “can use to inquire about blocked texts.”

The commission is also seeking comment on a proposal to clarify that Do-Not-Call Registry protections, which blocks marketing messages to the registered numbers in the database, apply to text messages. The commission said this would close the “lead generator loophole,” in which companies can use a texted point of consent to “deliver robocalls and text messages from multiple – perhaps thousands – of marketers on subjects that may not be what the consumer had in mind.”

Comments are due 30 days after the proposal’s publication in the federal register.

Text message scams have increased 500 percent in recent years, according to the commission, with complaints rising from roughly 3,300 to 18,900 per year from 2015 to 2022. The commission noted that unlike robocalls, text messages are “hard to ignore or hang-up on and are nearly always read by the recipient.” They can also include links that leads to websites that can install malicious software on the consumer’s phone, the agency said.

Agency chairwoman Jessica Rosenworcel proposed the rules last month.

“Robocalls and robotexts are a huge annoyance for everyone,” said a statement from Nick Garcia, policy counsel to advocacy group Public Knowledge. “We’re frequently bombarded with illegal scams and shady spammers – and many consumers don’t know how to protect themselves or where to turn for help. It’s clear that we need strong rules to cut down on this growing problem.

“The FCC has made great strides in combating robocalls, and it is encouraging to see that work continue while the FCC now takes steps to ensure consumers are protected from illegal and unwanted text messages,” Garcia added. “Today’s rules are a win for consumers, providing a common-sense baseline of protection from the kinds of illegal robotexts that are most obvious to identify—those that spoof invalid, unallocated, unused, or inbound-only numbers.”

Satellite to ground mobile coverage and prison call rates proposals 

The commission also unanimously voted in favor of initiating a proceeding on a proposal from the chairwoman last month to allow for satellite broadband providers to get authorization to use the flexible spectrum already licensed to agreeing ground-based mobile wireless providers to fill in dead zones not covered by the latter.

The supplemental coverage proposal, part of the commission’s “single network future” vision, is for non-geostationary orbit satellite operators, such as low-earth orbit satellite providers like SpaceX’s Starlink, focused on portions spectrum in the 600 MHz, 700 MHz, 800 MHz Cellular Radiotelephone Service, and the Wireless Communications Service (2305 to 2360 MHz) bands.

“Connecting consumers to essential wireless services where no terrestrial mobile service is available can be life-saving in remote locations and can open up innovative opportunities for consumers and businesses,” the FCC said.

The commission is also asking how this framework could support access to emergency services like 9-1-1 and wireless emergency alerts.

There have been a number of partnerships between satellite broadband providers and mobile wireless providers for this purpose. In August, SpaceX announced its Starlink satellites will be able to connect T-Mobile’s customers in rural areas to fill gaps in the ground network by having the space company use a portion of T-Mobile’s Personal Communications Services spectrum. The service is anticipated for later this year.

The commission also unanimously voted to initiate a proceeding into implementing a new law requiring the agency to look into the prices charged to incarcerated people to call loved ones.

Passed late last year and enacted in January, the Martha Wright-Reed Just and Reasonable Communications Act requires the FCC to review those rates by expanding its authority over those communications services. Previously, the commission only had authority between states and foreign locations; now, it’s being handed authority to tackle rates and charges for voice and video calls within states. The law requires the regulator to adopt “just and reasonable rates” no earlier than 18 months and no later than 24 months since enactment.

As such, the commission is asking commenters about the expansion of the regulator’s authority to deal with interstate calls, what “just and reasonable” means in the context of the law, how to approach setting rates, and the commission’s ability to ensure communication service for people with disabilities.

The FCC cited studies that it said show incarcerated people “who have regular contact with family members are more likely to succeed after release and have lower recidivism rates.”

Public Knowledge, in a separate statement, also applauded the proposed rulemaking to address “unconscionable phone rates” that “impose undue hardship on families.”

Comments on both matters are due 30 days after their publication in the federal register.

A number of states have already passed or are in the midst of passing their own privacy laws, with versions in California, Colorado, Connecticut, Utah, and Virginia having already come into – or are coming into effect – this year. Simultaneously, Congress is seized with pushing forth one blanket law for the entire country, with commitments from members of an innovation subcommittee to resurrect such a law. All laws address the collection, use, storage and sharing of data.

Photo of “Regulating Data Privacy” panelists Shane Tews, India McKinney, Alan Butler, Carl Szabo, Sara Collins and John Verdi (moderator) by Drew Clark

The last federal privacy proposal, called the American Data Privacy and Protection Act, did not pass both chambers before legislative turnover. One sticking point for lawmakers on that law was the possibility of pre-empting state laws, including California’s, whose members were vocal about their opposition on that front. Rep. Anna Eshoo, D-Calif., proposed her own amendment that would make the federal law a baseline and states could add provisions on top.

On Thursday at the Big Tech & Speech Summit, panelists grappled with the implications of that. On one side was the Electronic Frontier Foundation, represented by director of federal affairs India McKinney, who argued for more state consumer protection laws. McKinney suggested that a layering of privacy laws would actually increase consumer protections. The EFF has argued for a floor, not a ceiling, for any version of a federal privacy law.

The organizations has argued that some provisions in the aforementioned state laws are stronger than the ADPPA. Part of the argument is that states are knowledgeable of their own problems and should be able to fix them themselves.

Differing perspectives from ‘pro-privacy’ panelists

On the other side were Carl Szabo, vice president and general counsel for free speech and enterprise trade association NetChoice, and Shane Tews, nonresident senior fellow at the think tank American Enterprise Institute. Szabo pressed for a federal privacy law with pre-emption because of what he argued was a problematic patchwork of various laws that create regulatory and financial burdens on businesses.

Szabo piggybacked off a point made by Cathy Gellis, a lawyer and moderator for another panel, who argued that having different state laws would put her clients in a difficult spot because she wouldn’t be able to advise them in different jurisdictions in which she isn’t licensed to practice. In other words, the client would have to see more lawyers to ensure compliance.

Dane Snowden, senior advisor at telecom-focused law firm Wilkinson Barker Knauer, argued in an earlier panel that it is unfeasible for a product traveling through multiple jurisdictions to have to comply with various different privacy laws.

Szabo said having lots of privacy laws in the country is good for lining the pockets of lawyers, but bad for businesses.

Tews, who also argued for a federal privacy law, touched on the issue from a consumer perspective.

“Consistency, I think, is one thing that’s very important,” Tews said. “From a consumer’s perspective…it is that the information is consistent…we need to have a consistent national perspective on this.”

Tews also touched on this being an international trade issue.

Years ago, for example, the European Union made a fuss about its trading partners not having sufficient data privacy protections for its citizens. Its data protection law, the General Data Protection Regulation, was leveraged as a trade issue to ensure its citizens had data privacy protections for goods and services transacting across borders.

“We need to think about where this information is flowing and where this is actually ending at the end of the day,” Tews said.

To watch the full videos join the Broadband Breakfast Club below. We are currently offering a Free 30-Day Trial: No credit card required!

The Democrats and the Republicans have taken opposite positions on what to do with the liability provision under the Communications Decency Act, which shields technology platforms from the legal consequences of what their users post. That division – to allow more or less content moderation on platforms – coupled with the Republicans taking back the House, means the issue may not be resolved in a timely manner – if ever.

That’s why a focus on federal privacy legislation should grip lawmakers to avoid the negative effects of a patchwork of different state laws with different interpretations of privacy, according to panelists at the event Thursday.

Photo of Subcommittee Chair Gus Bilirakis at Big Tech & Speech Summit Thursday by Tim Su

“You cannot have 50 different regimes to manage the privacy and data breach regulations of the companies,” said Steve DelBianco, president and CEO of NetChoice, a trade association for free speech and enterprise. “I am not so worried about Section 230 because the two parties that run this country have completely opposite aims in mind for 230.” NetChoice has been one of the main opponents to social media laws in Florida and Texas that would restrict certain moderation practices by tech platforms.

Dane Snowden, senior advisor at telecom law firm Wilkinson Barker Knauer, also noted that there’s no common definition of the Section 230 problem. “The challenge that we have right now is there’s not a common definition of the problem that you’re trying to fix…until you have that, you’re going to have both parties going in opposite directions on 230.

“I think privacy is the number one thing we should focus on – we need to have a national privacy framework.” Snowden illustrated the problem by using the example of a product that must go through multiple jurisdictions to get to its destination. He said this is unfeasible when those jurisdictions have different laws.

But Eli Noam, the director of Columbia University’s Institute for Tele-Information – who gave a keynote speech on the use of artificial intelligence for the metaverse – said there may be some upside with state privacy laws because it would allow them to explore and experiment on privacy rules.

On Section 230, Amy Peikoff, head of policy and legal of social media company Parler, noted she’s glad there’s a stalemate because she said “any amendment that would come forth right now would make it worse.”

Earlier this month, members of the House Innovation, Data and Commerce subcommittee reiterated their support for a federal privacy legislation and discussed how to build on the previously introduced American Data Privacy and Protection Act before the midterm-induced turnover in Congress.

The ADPPA addressed algorithmic bias testing, limits on targeted advertising to kids and a pre-emption provision that would allow the federal law to usurp state law.

Subcommittee Chair Gus Bilirakis opened the summit with remarks about the need to amend Section 230 to address problems associated with kids’ use of social media, including suicidal ideations.

To watch the full videos join the Broadband Breakfast Club below. We are currently offering a Free 30-Day Trial: No credit card required!

The proposals are particular to the border gateway protocol, which is how global traffic is routed. The problem is that there are no security features to ensure trust of the information being routed, according to the FCC, which opened a proceeding on the matter on February 28 last year asking for commentary on what to do about the issue. The concern is that without security measures, bad network actors can redirect traffic to itself instead of the intended recipient, which exposes Americans to the theft of identity, extortion, financial transactions, and state spying, the commission noted.

In the letter last week, the three telecommunications companies proposed that secure internet traffic routing practices over the border gateway protocol first focus on critical infrastructure entities in the United States and its allies to allow these telecommunications companies to protect the traffic routes via filtering.

The filtering would involve registering traffic origins and identifying where to filter traffic along the route, including at interconnection peering points and customer routers. The proposed strike force would involve Big Tech companies and cloud platforms, which the FCC asked if it should include in its original proceeding document, as they have networking equipment and BGP routers. The internet service providers, who have their own filtering practices, also floated the possibility of the Cybersecurity and Infrastructure Security Agency requiring other agencies to provide that information.

The proposal also includes “collaborative assurances” in which the ISPs would provide confidential technical briefings about the practices.

But they advise against the FCC making prescriptive rules about such practices, noting that different ISPs have different approaches by design, and that any onerous approach could jeopardize security, not bolster it.

Questions about FCC’s jurisdiction over a fundamentally global internet routing system

The trio also questioned the jurisdiction of the commission on the routing ecosystem, which is fundamentally global.

“Asserting prescriptive regulatory control over internet protocols could have cascading effects, prompting international regulators – and authoritarian regimes in general – to seek greater internet control at the global level through” the United Nation’s telecommunications regulatory, the International Telecommunication Union.

“This would create barriers to U.S. leadership in the global digital economy and U.S. national security and is directly contrary to core interests of the United States and our free market democratic allies,” they added.

The FCC’s notice came just days after Russia’s invasion of Ukraine, which resulted in reports of increased cyberattacks from the warring regions. In fact, the FCC accused Russian network operators of inexplicably routing traffic through its country, including from traffic from Google, Facebook, Apple, Microsoft and major credit card companies MasterCard and Visa.

It also came before a law was passed that requires critical infrastructure companies to report to the federal government within a certain timeframe when they have experienced a hack or breach, as the country grapples with a number of high-profile attacks since the pandemic began.

The FCC has targeted national security threats by halting license authorizations to Chinese firms and putting on a blacklist a number of companies whose equipment American telecommunications companies are expected to remove from their networks.

Cybersecurity insurance will be extraordinarily important for small-to-medium-sized businesses, said Jamil Farshchi, executive vice president and chief information security officer. But premium cybersecurity insurance coverage has increased in recent years, with many small-to-medium-sized businesses relying on that cybersecurity insurance to keep them safe.

“These are small businesses that don’t have the resources that larger organizations do,” Farshchi said. “So I worry as the insurance market evolves, the premiums and the coverage levels are getting such that is very difficult.”

Equifax was a victim of one of the country’s most infamous breaches, when in 2017 the data of 147 million Americans were stolen by hackers. The company settled for hundreds of millions of dollars with the Federal Trade Commission.

Experts have urged companies to assume that any outside program is vulnerable to hacking, a position known as “zero trust.” This way, they can take the necessary measures to address the attack.

The United States has been on heightened alert when it comes to cybersecurity issues. Over the last two years, a number of high-profile cybersecurity breaches have impacted a software company, an oil transporter, and a meat producer. Those cybersecurity problems have triggered legislation that requires that the federal government be alerted when critical industries suffer such breaches.

After Russia invaded Ukraine early last year, a number of cybersecurity hacks emerged from those countries, according to an Atlas VPN report shortly after the invasion.

Broadband policies present a promising opportunity for bipartisan collaboration, said Marissa Mitrovich, vice president of public policy for the Fiber Broadband Association. “These are the issues that impact every single American, and they’re not a partisan issue — everyone needs access to affordable, reliable broadband.”

The most significant upcoming development to the national connectivity landscape will likely be the infusion of funding from the $42.5 billion Broadband Equity, Access and Deployment Program, expected to be allocated to the states by June 30. Many state entities have raised concerns about the national broadband map that will determine BEAD distribution, with several claiming they lacked the necessary time and resources to adequately challenge the map’s inaccuracies.

“The challenge process is important, but keep in perspective that this first go-around is really for state allocations — it is not the round that will really then determine where it is that’s unserved and underserved,” said Shirley Bloomfield, CEO of NTCA–The Rural Broadband Association.

Bloomfield also cautioned against becoming overly distracted by the “shiny new toy” of federal funding, noting the importance of reforming existing programs to ensure that new networks being built can be sustained and will remain affordable.

“If at the end of the day consumers can’t access and afford those networks, I’m not sure how far we’ve moved the ball forward,” she said.

One key program in need of reform is the Universal Service Fund, a multi-billion-dollar fund that subsidizes basic telecommunications services for low-income households and rural communities. The USF will likely run out of money during 2024, with some even predicting that this will happen during the first quarter of the year, said Grant Spellmeyer, president and CEO of ACA Connects.

Panelists at the Broadband Breakfast Live Online session on February 1, 2023.

“That means that we’re 12 months away from a real problem…There are 16 million households, 55 million Americans relying on that program right now,” Spellmeyer added.

With the future of the program — and the connectivity it provides to millions of people — in jeopardy, Congress may have the chance to play a crucial role in extending the program, Bloomfield said. “All Americans, regardless of where they live, should have access to comparable and affordable services.”

Industry experts disagree over whether fiber should be prioritized

The BEAD program’s prioritization of fiber over other broadband technologies has drawn both praise and criticism. Proponents tout fiber’s superior speeds and longevity, while others argue that emerging technologies should be given a chance to develop.

In November, the National Telecommunications and Information Administration — the Commerce Department agency responsible for administering the BEAD program — came under fire for its stated preference for fiber, which a group of Republican senators said was in “stark contrast to Congress’s tech-neutral intent.”

“Tech neutrality is critical… There are benefits of fiber, fixed wireless, satellite and traditional mobile,” said David Grossman, vice president of regulatory affairs for the Consumer Technology Association, at the Broadband Breakfast event.

“It’s going to take every tool,” Bloomfield agreed, noting that the best technology for any given area would depend on a broad range of factors. However, she emphasized the benefits of deploying fiber when possible. “We have this opportunity, and frankly, shame on us if we don’t actually put in future-proof technology the first time around.”

Fiber infrastructure will also support the rapidly growing demand for symmetrical gigabit speeds, Bloomfield added.

Spellmeyer pointed to a new ACA Connects study making state-by-state predictions for BEAD funding allocation and outlining two national deployment scenarios: a “baseline fiber” approach and a “maximum fiber” approach.

“It’ll be up to governors to decide how they want to approach the allocation of funding, but I think a whole lot of governors can deliver a whole lot of fiber,” Spellmeyer said. “And then there will be opportunities… in very high-cost areas for wireless to play a role as well.”

Mitrovich strongly supported fiber prioritization, noting that “what might be a little bit more investment on the front end is going to really save money in the long run — and create opportunity, whether it’s through jobs, access to healthcare, access to education.”

“We believe fiber is really the most important connectivity technology for consumers and how we’re going to connect America — and the only way this happens is if government and industry work together,” Mitrovich said.

Bipartisan privacy legislation may still have a chance

Although many policy proposals may struggle to gain traction in a politically divided Congress, Grossman was optimistic about the prospect of bipartisan privacy legislation.

“It’s something everybody can relate to, both sides of the aisle, and I think that that was reflected in the fact that we got to a ‘three corners’ bill last year,” he said, referring to the bipartisan House support and Republican Senate support garnered by the American Data Privacy and Protection Act toward the end of 2022.

The primary hurdle that stalled the ADPPA’s passage was its preemption provision, which was fiercely opposed by lawmakers from states with strong preexisting privacy legislation.

Tech associations and industry groups have been generally supportive of state preemption. “It’s very clear that a patchwork of 50 state laws is not workable — it’s burdensome, particularly for startups, [and] confusing for consumers,” Grossman said.

Bloomfield agreed, emphasizing the importance of “a national standard and uniform approach that really treats all online data consistently… so consumers know what their expectations are.”

Another contentious privacy debate at the heart of the ADPPA is whether individuals should be able to sue companies for infractions. The bill’s final version included a narrow private right of action — the product of significant bipartisan compromise.

However, Grossman rejected this agreement, arguing that “private right of action is hugely, hugely detrimental to the industry and to innovation.”

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, February 1, 2023, 12 Noon ET – What Will the 118th Congress Do on Broadband and Big Tech?

Hampered by a new partisan divide, what will the 118th Congress be able to accomplish in terms of broadband and technology policy? In particular, what do broadband and technology industry groups see as realistic policy priorities under divided government? Many members of Congress want to sharply curb the power of Big Tech, including through a potential national TikTok ban. Another issue left unresolved from last Congress was the state of information privacy legislation. These developments take place against a backdrop of the largest federal investment in broadband ever. Will Congress have anything new to say about infrastructure investment, wireless communication or network neutrality?

Panelists:

• Shirley Bloomfield, CEO, NTCA–The Rural Broadband Association
• Grant Spellmeyer, President & CEO, ACA Connects
• Marissa Mitrovich, Vice President of Public Policy, Fiber Broadband Association
• David Grossman, Vice President of Regulatory Affairs, Consumer Technology Association
• Drew Clark (moderator), Editor and Publisher, Broadband Breakfast

Panelist resources

• Rural Broadband Providers Increasing Speeds on Fiber Networks, Annual NTCA Report Finds, NTCA–The Rural Broadband Association, December 5, 2022

Shirley Bloomfield is CEO of NTCA–The Rural Broadband Association, the premier association representing nearly 850 independent telecommunications companies that are leading innovation in rural and small-town America. With more than 30 years of experience representing the country’s smallest telecom operators, Bloomfield is an expert on the role of federal communications policies in sustaining the vitality of rural and remote communities and the benefits rural broadband networks bring to millions of American families, businesses and the national economy. Bloomfield has a strong track record of leadership in aligning strategic partnerships among rural telecom companies, their larger counterparts, other rural utilities and federal agencies, advancing digital equity and economic opportunities for rural Americans.

Grant Spellmeyer oversees the daily operations and affairs of ACA Connects-America’s Communications Association, a 700-member, non-profit advocacy association dedicated to serving smaller- and medium-sized, independent broadband, phone and video businesses that serve more than 10 million broadband customers nationwide. ACA Connects represents its Members and advocates their concerns before Congress, the Federal Communications Commission, and other agencies in Washington, D.C. Prior to joining ACAC, Grant was vice president of government affairs for US Cellular where his primary duties included directing the federal and state legislative and regulatory efforts across the company’s 21-state operating territory on all policy matters.

Marissa Mitrovich is the Fiber Broadband Association’s vice president of public policy, leading their efforts before Congress, the White House and regulatory agencies in Washington, D.C. She brings more than two decades of experience in governmental affairs and telecom, including previous roles as the vice president of federal legislative affairs for Frontier and vice president of public policy for Verizon, where she interfaced with the administration and worked on state government affairs issues and corporate responsibility initiatives. Mitrovich also brings experience in workforce development and public-private partnerships from her time as vice president of program development for the Wireless Infrastructure Association.

David Grossman serves as vice president of regulatory affairs for the Consumer Technology Association, where he is responsible for representing the association before the FCC, FTC and other government agencies, with a focus on broadband, spectrum policy, cybersecurity and online competition. David spent nearly a decade in public service, including serving as Chief of Staff to FCC Commissioner Mignon Clyburn, Legislative Director and Senior Advisor for Technology Policy to Rep. Anna Eshoo of Silicon Valley, and as Technology Counsel to the U.S. House Small Business Committee under the leadership of Rep. Nydia Velázquez.

Drew Clark (moderator) is CEO of Breakfast Media LLC. He has led the Broadband Breakfast community since 2008. An early proponent of better broadband, better lives, he initially founded the Broadband Census crowdsourcing campaign for broadband data. As Editor and Publisher, Clark presides over the leading media company advocating for higher-capacity internet everywhere through topical, timely and intelligent coverage. Clark also served as head of the Partnership for a Connected Illinois, a state broadband initiative.

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTube, Twitter and Facebook. 

See a complete list of upcoming and past Broadband Breakfast Live Online events.

Article III, which grants power to the judiciary branch, states that federal courts can only hear “cases or controversies,” which requires the plaintiff to have a legal right to sue. Standing requires that the plaintiff have a “concrete and particularized” injury.

For those lawsuits that represent the interests of a large number of people, standing becomes more complicated and data security is right at the forefront, said Aaron Weiss of Carlton Fields law firm at the Federal Communications Bar Association event.

Recent court decisions have relied heavily on an appeal to historical antecedent, said Heather Elliott, professor at the University of Alabama School of Law.

A 2016 Supreme Court decision – in which the plaintiff, Thomas Robins, accused “people search engine,” Spokeo, of sharing incorrect information about him – overruled the Ninth Circuit decision on the basis that the plaintiff could not prove that the injury was concrete.

Telephone Consumer Protection Act

The Federal Communications Commission has regulatory authority under the Telephone Consumer Protection Act to prohibit using automatic telephone dialing systems to call residential or cellular telephone lines without consent.

In 2018, John Salcedo brought a class action lawsuit against Alex Hanna, alleging that Hanna had violated TCPA by sending an unconsented automized text. The Eleventh Circuit determined that there was no concrete injury. Its verdict stated that “on text messaging generally… the judgement of Congress is ambivalent at best.”

On a similar case in 2021, however, the Fifth Circuit held that a single text message was the invasion of privacy that Congress intended to ban under the TCPA and delegated authority to the FCC to implement the law.

To further complicate the matter, state courts are under different jurisdiction and may rule separately from its circuit, said Weiss.

“It is very clear that the lower courts are super confused,” added Elliott.

The FCC is currently taking steps to combat telephone scammers. It ruled in November that straight-to-voicemail robocalls are calls under the TCPA and will be subject to the law’s consumer protections. According to the TCPA, read the commission’s ruling, the recipient of an automatic dialing system, artificial voice, or prerecorded message must provide affirmative consent prior to receiving it.

Major questions doctrine

The FCC, however, is itself facing uncertain regulatory authority. In June, the Supreme Court held that in “extraordinary cases” a federal agency, such as the FCC, must point to “clear congressional authorization” for the authority it claims.

Under the major questions doctrine, the Supreme Court can reject federal agency claims of regulatory authority when the issue is of “vast economic and political significance” and when Congress has not clearly endowed the agency with authority over the issue.

Representative Cathy McMorris Rodgers, R-Wash., is concerned with the legislative power that federal agencies have. “Our founders provided Congress with legislative authority to ensure lawmaking is done by elected officials, not unaccountable bureaucrats,” she wrote in a letter to FCC Chairwoman Jessica Rosenworcel in October.

“In my opinion, there’s a lot of overblown statements about how bad the problems are,” said Rob Atkinson, president of the Information Technology and Innovation Foundation. “And a lot of the regulatory solutions… would actually, in our view, do more harm than good.”

Speaking at a panel hosted by the ITIF on Wednesday, industry experts responded to President Joe Biden’s recent op-ed calling on Congress to unite against Big Tech companies in three areas of concern: privacy, content moderation and competition.

“It’s gotten to this amazing point where we have a lot of the world’s most dominant tech companies, and to see a headline about uniting against Big Tech by the President of the United States, it hurts me greatly,” said Gary Shapiro, president and CEO of the Consumer Technology Association.

One of Biden’s policy recommendations was to place limitations on targeted advertising and ban the practice altogether for children. But Atkinson disagreed with the implication that targeted advertising is an inherent violation of privacy.

“Targeted advertising is almost always done in an anonymous way where the advertiser doesn’t know my name — they just know that I like to ride my bicycle to work, and so they send me a bicycle ad,” he said.

Despite concerns about the extent of certain proposals, the tech leaders were generally supportive of federal privacy legislation. “It’s incredible that the U.S. is one of the very few democracies in the entire world that does not have a comprehensive privacy law,” said Jules Polonetsky, executive director of the Future of Privacy Forum.

A proposed federal privacy law gained strong bipartisan support toward the end of 2022, but disagreements over two key issues have threatened its progress, explained TechNet CEO Linda Moore.

The first is private right of action, which Moore said was important to “make sure we protect those small and medium-sized companies from frivolous lawsuits that will drive them out of business.”

The second disagreement is over whether the federal law should preempt state privacy laws.

Steve DelBianco, executive director of NetChoice, emphasized the need for a “national standard to replace an impossible patchwork of state laws.”

“If the President is serious about data privacy, he should support the preemption of state laws and the presumption of private right of action,” DelBianco said.

Strict European privacy regulation can provide both guidance and caution

Polonetsky pointed to the European Union’s General Data Protection Regulation, often considered to be the world’s strongest privacy law, as a potential guide for U.S. legislation.

“For years, I would have said no — let’s show the American way to do it,” he said. “But now that we’ve tried to do the American way and made a bit of a jumble in many of our proposals, I have new appreciation for the thought that went into GDPR.”

But in addition to appreciating what the GDPR got right, policymakers should also look carefully at the ways in which it may have overly restricted research, Polonetsky added.

Atkinson emphasized that caution, saying that the GDPR’s “important and useful components” did not outweigh the negative impacts of its research limitations.

The implementation of GDPR also had negative implications for competition, Moore said. “The largest companies gained market share, because the smaller and medium sized companies just couldn’t adapt to the new privacy regime and all the hurdles that are put in place.”

Pursuing the strictest possible privacy standard could result in barring all data sharing and interoperability — things that are “necessary for competition,” Polonetsky claimed. “We need an understanding of the balance and the conflicts which do exist between competition and privacy.”

Privacy law is also closely intertwined with Section 230, Polonetsky said. “It’s clear that any significant change to 230 means companies doing an awful lot of surveillance to track things that are said and posted and done.”

Broadband Breakfast’s Big Tech & Speech Summit will feature panels on each of the issues identified in Biden’s op-ed. Learn more and register here.

Without downplaying the potential benefits of “metaverse” technology, it is important to understand how it differs from the current internet and how that will impact children, said Leeza Garber, a cybersecurity and privacy attorney.

“When you’re talking about being able to feel something with the haptic gloves, which are in advanced states of development, or even an entirely haptic suit, you’re talking about the potential for cyberbullying, harassment, assault to happen to minors in a completely different playing field — where right now there’s not so much proactive legislation,” Garber said.

Although the metaverse is often framed as a thing of the future, it actually just entails “an immersive, visual, virtual experience,” said Gail Gottehrer, founder and chairperson of the New York State Bar Association’s cybersecurity subcommittee.

Defined as such, the metaverse has already gained widespread popularity. “The next generation of children will spend approximately 10 years in virtual reality in their lives. So that’s the equivalent of around two hours and 45 minutes per day,” Gottehrer said, citing research from the Institution of Engineering and Technology.

The user base of one such platform, Roblox, “includes 50 percent of all kids under the age of 16 in the United States — so it’s huge for minors,” Garber said.

For a generation that has grown up with social media integrated into everyday life, the “interplay of personal data with gaining the benefit of using this type of platform is just simply accepted,” Garber added. “We have to be more proactive in a space where this new iteration of the internet will have the capacity to take in so much more data.”

‘Staggering’ amount of data collected in the metaverse

The data collected by metaverse technology is “staggering,” Gottehrer said. Virtual reality equipment can track eye and head movements, heart rates, muscle tension, brain activity and gait patterns. After just a few minutes of use, the “motion signature” created by this data can be used to identify people with 95 percent accuracy.

This data can also identify neurodiversity and some forms of disability that affect movement, such as Parkinson’s disease.

“If you’re a child and this data is already being collected on you, where might that down the road follow you in your life?” Gottehrer asked.

Only a handful of states have specific regulations for the collection of biometric data, but Garber predicted that more states will likely pass similar legislation, albeit “at a glacial pace.”

However, many experts worry that it will not be fast enough, particularly when it comes to protecting children’s digital privacy. “While we know technology moves at a pace that’s much faster than courts or litigation, there’s really a concern that [the Children’s Online Privacy Protection Act] is dragging behind,” Gottehrer said.

Compounding these concerns is the confusion over who should be setting these regulations in the first place. In September, as privacy legislation stalled in Congress, Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., wrote a letter urging the Federal Trade Commission to use its regulatory authority to update COPPA.

The letter “does not send a great message,” Garber said. And without decisive government action, tech companies currently hold great power to set the standards and practices that will shape the industry’s regulatory development in the future.

“Self-regulation by metaverse stakeholders — is that is that viable? Is that advantageous?” Gottehrer asked. “I think it’s safe to say we have not seen tremendous success at self-regulation of the current version of the internet — that might be a dramatic understatement.”

For an example of how companies might fail to proactively protect underage users, Gottehrer pointed to Instagram. According to internal documents shown to the Wall Street Journal in September 2021, Facebook knew for some time that Instagram was harmful to the mental health of teenage users, based on internal research, and yet continued to develop products for an even younger audience.

“All of these issues become amplified in an environment where you’re supposed to be completely immersed,” Garber said.

“I think the privacy landscape in the U.S. is likely to become more complicated before it gets any easier,” said Joan Stewart, an attorney specializing in privacy, data governance and regulatory compliance, at a webcast hosted by Wiley on Thursday.

New privacy laws in California and Virginia took effect on Jan. 1, and Colorado and Connecticut have privacy laws set to become effective in July. Utah’s privacy law will go into effect at the end of December.

 “We expect to see additional states actively considering both omnibus and targeted privacy laws this year,” Stewart said. “So we encourage businesses to focus now on creating universal privacy programs that can adapt to these new laws in the future.”

Although the various state laws have plenty of overlap, there are also several significant outliers, said Kathleen Scott, a privacy and cybersecurity attorney.

States take different approaches to imposing privacy

For example, the new California Privacy Rights Act — which amends and strengthens California’s existing digital privacy law, already considered the strongest in the country — requires that businesses use specific words to describe the categories of personally identifying information being collected.

“These words are unique to California; they come from the statute, and they don’t always make perfect sense outside of that context,” Scott said.

Another area of difference is the consumer’s right to appeal privacy-related decisions. Virginia, Colorado and Connecticut require businesses to offer a process through which they explain to consumers why a specific request was denied.

While implementing a universal standard make compliance easier for businesses, Scott noted that “processing appeals can be pretty resource intensive, so there may be important reasons not to extend those outlier requirements more broadly to other states.”

Generally speaking, the state privacy laws apply to for-profit businesses and make an exception for nonprofits. However, Colorado’s law applies to for-profit and nonprofit entities that meet certain thresholds, and the Virginia and Connecticut laws carve out select nonprofits as exempt instead of having a blanket exemption.

Other state-to-state differences include specific notices, link requirements and opt-in versus opt-out policies. Even key definitions, such as what qualifies as “sensitive data,” vary from state to state.

Two of the state privacy laws taking effect in 2023 authorize the development of new rules, making it likely that additional expectations are on the horizon.

California will not begin civil and administrative enforcement of the CPRA until July. In the meantime, the state’s new privacy agency is charged with developing rules for its implementation, including specific directives for required notices, automated decision-making and other issues.

“The California rulemaking has been particularly complicated… and the outcome is going to have significant impacts on business practices,” said Duane Pozza, an attorney specializing in privacy, emerging technology and financial practices.

The state’s attorney general is arguing that existing rules require a global opt-out mechanism, but the new law establishes this as optional, Pozza explained. The currently proposed rules would again require a global opt-out.

Colorado’s attorney general is undertaking a similar rulemaking process, revising a previously released draft of the rules in preparation for a February hearing.

Several additional states are expected to propose broad or targeted privacy laws during the coming legislative cycle, according to data published Thursday by the Computer and Communications Industry Association. In addition to comprehensive consumer data privacy legislation, several measures address the collection of biometric information and children’s online safety, the CCIA found.

Many experts and policymakers have called for a comprehensive national privacy law, but, although such a bill gained bipartisan support in 2022 before stalling, Congress has yet to act. Lewis argued that federal regulation is needed since companies often renege on voluntarily accepted privacy standards. “In the era of big data, the harms that come with [violations] are just exacerbated because of how much data is out there, both the harms to consumers and users [and] the harms to competition,” Lewis said.

Later in the panel, Lewis argued that case-by-case enforcement, as attempted by the current Federal Trade Commission, cannot keep pace with innovation. Privacy and data-protection rules would force innovators to consider those issues earlier in the product-design process, he said.

“You go up and you talk to [exhibitors at CES] and ask them things get at consumer-protection harms that could come from their technology or could come from the next iteration of their technology…you can tell that those harms are not front of mind, so we want to see them become more front of mind,” Lewis said.

The absence of federal action has led several states, including California, to pass their own privacy codes. Panelists argued that this “patchwork” of inconsistent state regulations creates uncertainty for consumers and the business community.

CES 2023 has featured numerous discussions of cybersecurity in sectors ranging from transportation to Internet of Things home devices. On Thursday, an official from the Department of Homeland Security argued that manufactures should design and pre-configure devices to be secure, thus reducing the security burden on consumers.

For their own protection, consumers must better understand how to weigh risks and protect themselves in the digital world, Stewart Gloster said Saturday. “The sooner that people understand that their physical security and digital security are inextricably linked the better,” she argued. According to the panel’s moderator, Consumer Technology Association senior manager for government affairs John Mitchell, 82 percent of data breaches in 2021 involved “the human element, stolen credentials, phishing, misuse.”

Stewart Gloster’s team is working on a national cyber-workforce and education strategy, she said, which will address the federal cyber workforce, the national cyber workforce, cyber education, and “digital safety awareness.”

Stewart Gloster said workforce initiatives should promote the participation of “people of a diverse set of backgrounds who are highly skilled and multidisciplinary who can take a look at the problem space, who can apply their lived experiences, apply the things they’ve observed, apply their academic backgrounds to a challenging and ever evolving landscape.”

The popularization of IoT devices gives cyber-criminals increasing opportunities to breach networks, many say. Network-connected household devices – e.g., lightbulbs and home security devices – can be entry-points if security protocols are lacking. On CES panel on Thursday, a cybersecurity official at the Department of Homeland Security argued that manufacturers should design and preset devices to be safe, shifting much of the burden from the consumer.

“For a long-term, sustainable solution, the best approach really is for demand to be market driven,” she said, adding that NIST is “happy” to support the market when called on. To preserve flexibility, NIST’s cybersecurity guidelines for IoT manufacturers in general prescribed desired outcomes, rather than specific and “brittle” standards, Megas said.

“How you achieve those [outcomes] will vary depending on the maturity of your organization, the architecture of your product, perhaps preferences that you might have for you own internal processes,” she explained.

Megas said manufacturers, who well know their devices’ technical capabilities, often lack an understanding of how consumers actually use their devices. Megas said she has examined how to “help a manufacturer who has no insights into the final contextual use of this product, how can we help them…understand, ‘Here are the risks associated with my device.’”

At an American Enterprise Institute panel held in November, Megas endorsed an “ecosystem approach” to cybersecurity, arguing that network security is also indispensable.

LAS VEGAS, January 5, 2023 – To keep pace with today’s technological innovations and cyberthreats, the railway industry must retool its cybersecurity defenses, said Shawn Smith, vice president of business development of rail cybersecurity company Cylus.

The onus of securing devices shouldn’t fall to the consumer, Brown argued Thursday at the Consumer Electronics Show 2023. Industry experts say cybersecurity begins in hardware production – from the microchip level up – as well as software coding. And by pre-configuring devices to protect the user, Brown said, manufacturers can create a still higher degree of protection.

Brown spoke on a panel at which speakers discussed various new ways connectivity can improve life and business in various sectors. Veneeth Iyengar, broadband director of Louisiana, said he is working to make his state attractive to “disruptive” technologies that will benefit industries such as precision agriculture. Once broadband has been made accessible to all Louisianans, Iyengar said the next step is to consider how to “make broadband as an asset platform an enabler to drive Louisiana’s economy, making it even more inclusive.”

Beside precision agriculture and other business technologies, Internet of Things consumer devices – such as smart light bulbs, home security systems, and smart thermostats – are rapidly gaining in popularity. Panelists at an American Enterprise Institute event in November raised concerns that insecure IoT technology could provide to hackers an easy entry to networks.

To ensure the security of consumer devices, Federal Communications Commission Commissioner Nathan Simington in December proposed requiring manufacturers to provide as-needed security updates to their devices for a set period of time.

Claiming to have information about recipients’ auto warranties, the so-called “Cox/Jones Enterprise” placed more than five billion scam robocalls in early 2021, the FCC alleges. The agency says these calls were made to more than a half a million phones and used over a million unique caller ID numbers. The operation made these calls from various American and foreign entities, including entities located in Panama and Hungary, the commission says.

The FCC alleges that the Cox/Jones Enterprise conduct violated the Telephone Consumer Protection Act’s provisions that robocallers must obtain express consent from the recipient before calling a mobile phone and that they must identify themselves at the beginning of the call. The enterprise is also illegally used phony caller IDs to appear near to call recipients, the agency says.

The fine was unanimously proposed at the commission’s December open meeting, at which Chairwoman Jessica Rosenworcel committed to continued action against phone scammers.

“Earlier this month, we ordered phone companies to block the company responsible for up to 40 percent of scam calls involving student loans. Plus, we now have agreements with 43 State Attorney Generals (sic), the District of Columbia, and Guam to go after illegal robocalls – just like we did here with the Ohio Attorney General,” Rosenworcel said in a prepared statement. “So our message is clear to those who would follow in the footsteps of the auto warranty scammers – we are watching, we are working with our state counterparts, and we will find you, block you, and hold you accountable.”

On Tuesday, the FCC announced a new online portal for entities to report robocall and spoofing violations. The agency in November took action to crack down on straight-to-voicemail robocalls and in October launched an inquiry into combatting calls on non-internet-protocol networks.

The FCC moves to streamline space authorizations

At Wednesday’s meeting, the FCC unanimously approved a notice of proposed rulemaking that would expedite satellite and earth station applications, following Rosenworcel’s November announcement of a new space bureau. Commissioners touted the American space industry’s accelerating rate of satellite deployments and called for updated regulation to facilitate the sector’s further growth.

In their comments, Rosenworcel and Commissioner Brendan Carr praised the Satellite and Telecommunications Streamlining Act, a recently introduced bipartisan bill from Reps. Frank Pallone, Jr., D-N.J., and Ranking Member Cathy McMorris Rodgers, R-Wash., that would facilitate satellite permitting. Commissioner Nathan Simington endorsed the bill earlier this month.

The FCC sought comment on measures to combat digital discrimination, including via proposals to define the term, update the agency’s consumer complaint mechanism, and provide “model policies” and “best practices” to states and localities. The agency also proposed rules to improve emergency responses by requiring wireless and some text providers to facilitate location-based routing on their internet protocol-based networks. Lastly, the FCC proposed a new compensation structure for certain providers to improve captioned phone calls for the deaf and hard of hearing.

“Uses of this form might include a corporation or association experiencing a deluge of robocalls overwhelming their internal phone network, voice service providers that found evidence of illegal robocalls traversing their networks, or private entities that have had their number(s) spoofed,” the FCC’s portal says.

The category “private entities” does not include individuals.

“This new tool will help us support companies and businesses that see their phone lines jammed with robocalls or their valuable and hard-won brand awareness undercut by scammers spoofing their numbers,” said Loyaan Egal, chief of the Enforcement Bureau.  “While we will always rely on consumer complaints about massive robocall campaigns and have existing lines of communications with many public institutions, we now also have a direct line of communications with private entities that sometimes seem under siege by robocalls and now have an avenue to reach out for help.”

The elimination of illegal robocalls has of late been a priority for the FCC, and the agency has taken several actions to squash them in recent months. A recent report by Truecaller found that in the twelve months preceding May 2022, scam callers pried $39.5 billion from 68.4 million Americans. These year-over-year figures rose sharply from $29.8 billion lost and 59.4 million victims in 2021.

The FCC in November ended new authorizations for foreign-made devices deemed to pose national security risks, but further regulation of domestically produced devices is necessary, Simington argued. He advocated mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers. Nefarious actors can exploit vulnerable devices to compromise entire networks, a danger that grows as Internet of Things devices proliferate, experts say.

Simington analogized the proposed update regime to recalls of defective physical products, but argued the former poses only minimal compliance burdens on industry and consumers.

To avoid mismanagement by federal regulators, Simington favors a reasonableness standard that relies on industry best practices, he told Broadband Breakfast after the announcement. The commissioner said regulators usually lack the ability to micromanage industry. “We’ve got to be really humble about the extent of the knowledge in the federal government,” he said.

“If a reasonable tech company would have updated under these circumstances, and a tech company chose not to do so simply because of bad design or because of an inadequate threat detection [or] insufficient concern or responsiveness of customers, then we start saying that perhaps they were acting unreasonably,” the commissioner said.

“We’ve got to recognize that a lot of the expertise lies in industry,” he added.

Simington said he hopes the commission will act in the first half of 2023.