Last week, my wife and I received the above postcard from AT&T, which provides our mobile phone service. All telecommunications companies in the United States provide these notices -- by snail mail, email, or both. If you receive a notice, don't toss it in the trash. Read it closely because your privacy depends upon it.
The text of our postcard read:
"AN IMPORTANT MESSAGE ABOUT THE PRIVACY OF YOUR CUSTOMER PROPRIETARY NETWORK INFORMATION (OR CPNI)
The protection of our customers' privacy is of utmost importance to the employees and management of the AT&T family of companies (AT&T)*. Please take a moment to read the following important message about the privacy of your customer information.
AT&T companies that provide telecommunications and interconnected Voice over Internet Protocol (VoIP) service (which permits VoIP customers to both send and receive calls to/from customer with traditional telephone/telecommunications service) would like to share your customer proprietary network information (CPNI) within the AT&T family of companies for our own marketing purposes, including using theat information to offer you additional products and services.
What CPNI? Your CPNI includes the types of telecommunications and interconnected VoIP services you currently purchase, how you use them, and the related billing for those services. CPNI does not include your telephone number, your name or your address. Protecting the confidentiality of your CPNI is your right and our duty under federal law. As an AT&T customer, you can restrict the use of your CPNI even within the AT&T family of companies.
To allow AT&T to use your CPNI, no further action is required. AT&T and our authorized agents will not sell, trade or share your CPNI with anyone other than those who are in the AT&T family of companies or are AT&T authorized agents, unless required by law. If at any time you would prefer that AT&T not use your CPNI to offer you additional products and services, you may:
- Submit an online form at att.com/ecpnioptout; or
- Call 800.315.8303 24 hour a day, 7 days a week and follow the prompts; or
- To speak to a service representative call 800.288.2020
Your decision to permit or restrict the use of CPNI will remain in effect until you decide to change it, which you can do at any time without charge. Restricting our use of your CPNI will not affect the providion of any AT&T products or services to which you currently subscribe, nor will it eliminate other types of marketing contacts. Thank you for choosing AT&T. We appreciate your business.
*The AT&T Family of Companies are those companies that provide voice, video and broadcast-related products and/or services domestically and internationally, including the AT&T local and long distance companies, AT&T Corp., AT&T Mobility, DIRECTV and other subsidiaries or affiliates of AT&T Inc. that provide, design, market, or sell products and/or services."
What does this notice mean? What's really going on?
First, AT&T is already sharing your information. Anytime you read a corporate notice that says you can opt out (e.g., unsubscribe) of a marketing or advertising program, that means you are already included. You'd think that programs would work the other way: you are never included in a program until you subscribe (e.g., opt in). That would be easy for consumers. You're only in programs you want to participate in, and there's no burden to (constantly) opt out of unwanted programs.
Sadly, other telecommunications companies have similar marketing programs with CPNI and opt-out mechanisms. Why? Marketing and advertising programs that automatically include all customers are the easiest and fastest way for companies to collect and share as much information as possible about as many customers as possible. So, you're included in programs whether you want them or not, with the hope that you won't take the time to read and opt out (unsubscribe).
That's definitely not consumer friendly.
Second, the notice fails to explain exactly what CPNI is. The description seems to have been written by lawyers for lawyers -- and not for consumers. A clearer notice would list the specific data elements collected and shared, with examples. I checked AT&T's CPNI website page to see if it provided a more details. It doesn't. It provided the same vague text. Compared to a postcard, there's plenty of more room on a web page to share details. I guess AT&T really doesn't want to share details about CPNI.
If you want to know exactly what CPNI is, the FCC provides this definition:
"Your local, long distance and wireless telephone companies, as well as your Voice over Internet Provider (VoIP), collect information such as the numbers you call and when you call them, as well as the particular services you use, such as call forwarding or voice mail. These companies collect this customer information, also called Customer Proprietary Network Information (CPNI) so they can provide the services you have requested and send you bills for them."
While petitioning the FCC for greater privacy protections in 2007, the Electronic Privacy Information Center (Epic) and other advocacy groups said:
"CPNI is the data collected by telecommunications corporations about a consumer’s telephone calls. It includes the time, date, duration and destination number of each call, the type of network a customer subscribes to, and any other information that appears on the customer's bill."
So, CPNI includes metadata about your call and online activity. That's sensitive personal information... which leads to the next point.
Third, treat the security of your CPNI data seriously. Last year, AT&T paid a $25 million penalty after data breaches in three of its offshore call centers that included stolen CPNI. The U.S. Federal Communications Commission (FCC) investigated after unauthorized employees in call centers in Mexico, Colombia, and the Philippines accessed sensitive personal information of about 280,000 U.S. customers: names, full or partial Social Security numbers, and CPNI data. The employees transferred the stolen information to "unauthorized third parties" (e.g., criminals) to unlock stolen phones and other acts. So, criminals understand the value of CPNI data. You should, too.
Fourth, the notice seems slanted. It uses the term "restrict" as if that is bad, but never provides examples of the benefits for consumers. How are consumers to make informed decisions if a company fails to clearly explain the program?
Fifth, the AT&T CPNI Optout page mechanism is poorly designed. The form, which asks customers to enter an account number and ZIP Code:
This works okay for accounts with a single person. It is problematic for accounts with multiple persons (phones), like family plans -- which my wife and I have. The form's lack of flexibility means that the account holder decides for everyone on the account. Individual persons can't selectively opt out. You'd think that AT&T would have designed the mechanism with flexibility to accommodate this, but it didn't. Everything seems driven by the sharing of information on monthly bills.
Sixth, the confirmation page copy seems vague. It isn't clear if the customer has opted out or not. If the processing isn't complete, then messaging should explain what happens next and when. See:
Seventh, if you opted out of the CPNI data sharing program, you're not finished. The AT&T Choices and Controls page lists about six behavioral advertising programs. It is time consuming and crazy-making to have to wade through so many programs and opt out of each one.
So, I was underwhelmed by the CPNI opt-out mechanism. A long time ago, AT&T publicly promised to do behavioral advertising the right way. It's not there yet. Not even close.
What else might be happening here? AT&T executives probably have watched the 'supercookies' investigation and settlement agreement involving Verizon Wireless. Supercookies are unique identifiers inserted into mobile users' data streams to track their online usage. The identifiers, which are really difficult for consumers to delete, help provide advertisers with the robust information they desire. The FCC found that Verizon Wireless didn't inform its customers about its use of supercookies with data sharing, and didn't provide its customers with an opt-out mechanism. Bazinga! $1.35 million fine for privacy violations and a three-year compliance program. Verizon has since updated its policies and opt-out mechanism.
C/Net reported in 2014 that AT&T lagged Verizon in using supercookies:
"Verizon, the largest mobile carrier in the US, uses information gleaned from its supercookies to understand your interests and concerns by tracking the websites you visit and links you click on. It then supplies that information to its advertisers so they can craft finely targeted advertising campaigns. About 106 million of Verizon's consumer customers have been tracked this way for over two years by the company's Precision Market Insights program... AT&T tracks fewer customers, but only because the company says its program is still being tested."
Will AT&T ramp up its supercookies development? That bears monitoring. I expect privacy advocates will keep watch. Meanwhile, consumers can assume that CPNI includes everything on their monthly bill for whichever telecommunications products and services you use. Make your opt-out decisions based upon that.
What are your opinions of the CPNI privacy notice by AT&T? By other telecommunications companies?