(by Spencer Rubin and Trip Nistico, Colorado Law 2Ls, and Vickie Stubbs, ATLAS Institute)
Two weeks ago, the TLPC submitted reply comments on the Third Further Notice of Proposed Rulemaking (FNPRM) in the Federal Communications Commission’s Text-to-911 (TT911) docket. Among the many areas in which the FCC sought comment on rules for text messages to 911, we focused on the privacy and cybersecurity implications of sharing enhanced location information via text message to emergency responders.
Currently, enhanced location information (GPS-based tracking information) is not shared with emergency responders when people text 911, even in areas where texts can be sent. The only location information that mobile devices and text-message applications share with emergency responders when people text them is coarse location information based on a mobile device’s cell tower “pings.”
However, once the Commission ultimately implements its TT911 rules, mobile devices and text-messaging applications will be required to transmit enhanced location information during a TT911 session. This will give emergency responders a more refined estimate the texter’s location.
Despite the benefit of giving emergency responders a more precise location of where someone is located who has texted them, the transmission of enhanced location information during TT911 session raises substantial privacy and cybersecurity concerns. By mandating that mobile devices and text-messaging applications be designed and programmed to transmit people’s enhanced location, the FCC is asking mobile devices and text-messaging applications to create new standards for the handling of what people expect to be their private location information.
In its 3rd FNPRM, the FCC is considering rules that would allow mobile devices and text-messaging applications to recognize that a texter is attempting to send a message to 911 and override the texter’s location settings for her text messaging application, in order to append her enhanced location information as metadata within her text. That location information would then be sent to mobile carriers who would forward it to emergency responders at Public Safety Answering Points (PSAPs).
Once mobile carriers receive people’s enhanced location information and forward it on to emergency responders at PSAPs, the question arises of how the FCC will ensure the secure storage of that information. The FCC has not proposed many procedures for ensuring the secure storage of enhanced location information in the 3rd FNPRM.
Should the FCC allow the sharing of enhanced location information, then two critical issues are at play:
1) Does it violate basic privacy values?
2) Will the storage of private information be secure?
While sharing enhanced location information in a text to 911 is valuable to decrease emergency responders’ response times and to save lives, we believe that there should still be safeguards on the transmission of that information (to protect privacy) and on the storage of that information (to protect cybersecurity). Our comments recommend that the FCC use Fair Information Practice Principles (FIPPS) as a framework for addressing data transmission and storage safeguards. (The White House has even recognized that FIPPs are important factors in protecting people’s privacy and securing their information.) Using FIPPs, we urged the FCC to strike a balance between respect for people’s privacy and security and the benefits of sharing enhanced location information during a TT911 session. More specifically, we urged the FCC to require that:
- Mobile devices and text-messaging applications give people adequate notice that text-messaging applications will share enhanced location information during TT911 sessions;
- Mobile devices and text-messaging applications give people the ability to opt out of automatically sharing enhanced location information during TT911 sessions;
- Text-messaging applications only embed or attach enhanced location information into 911 text messages when people send them and not open security backdoors that would allow PSAPs—and hackers—to request location information at will; and
- Mobile carriers and text-messaging service providers dispose of any enhanced location information that they have obtained once the emergency is over.
We believe that these suggestions, if adopted, ensure that privacy and security of people’s enhanced location information will be adequately protected without impeding the FCC’s implementation of rules for transmitting that information and the public safety benefits that would result.