From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. Partners John Heitmann and Steve
Editor’s note: CommLaw Monitor primarily addresses developments in communications and technologies in the United States. We provide this special update regarding new regulations in Germany for the benefit of U.S. and foreign service providers alike. The security issues discussed below may have implications for all service providers.
The German Federal Network Agency, Bundesnetzagentur (BNetzA), recently launched a final public consultation on its new draft Catalogue on security requirements for telecommunications service providers and operators of public telecommunications networks. The draft is revamped significantly, but follows the same vein as its predecessors to prevent disruptions and manage security risks, by requiring providers and operators to implement technical security measures and safeguards for operating telecommunications and data processing systems. The deadline for comments on this version 2.0 of the Catalogue is 13 November 2019, but the BNetzA is unlikely to make fundamental changes at this late stage. Consequently, stakeholders should consider the draft as a reliable indicator of the official version, and assess how to best satisfy the requirements.
At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.
NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.
Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.
Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.
On August 1, the FCC took another step in its ongoing effort to combat deceptive and unlawful calls to consumers. This action once again sets its sights on a common target: concealment or alteration of the originating number on a communication. This practice is known as “spoofing” and, when conducted with an intent to cause harm to consumers, is unlawful. In the August 1 Report and Order, the FCC amended its Truth In Caller ID rules to expand anti-spoofing prohibitions to foreign-originated calls and text messaging services.
Once these rules take effect, the FCC closes a significant gap in its prior rules – calls which originate outside the United States – at the same time that it acts preemptively to prohibit deceptive spoofing in a growing area – text messaging. In the process, the FCC will enhance one of its most commonly used tools in its effort to combat unlawful robocalls – fines for unlawful spoofing. Generally, the FCC has attacked parties that originate unlawful robocalls by fining them for the subsidiary violation of spoofing the unlawful calls. In telecommunications enforcement, spoofing violations are the tax evasion charges to Al Capone’s criminal enterprise.
Since its adoption, the Telephone Consumer Protection Act (“TCPA”) has periodically been attacked as unconstitutional on grounds that it violates the First Amendment right to free speech due to its content-based restrictions. Until today, those attacks have generally failed, leaving defendants with the threat of potentially crippling statutory damages. Today, the Fourth Circuit announced that part of the TCPA, an exemption for calls to collect government debts, is unconstitutional and will be stricken from the Act.
A new report from the Wall Street Journal on FCC robocall enforcement set off a minor scrum over the effectiveness of the FCC’s TCPA efforts under Chairman Pai. The report claimed that, despite recent eye-popping enforcement actions and policy proposals aimed at curbing unwanted calls, the FCC collected only a fraction of those fines so far. Out of $208.4 million in fines issued since 2015 for violations of the FCC’s robocalling and associated telemarketing rules, the agency collected just $6,790, or less than one-hundredth of one percent. None of the over $200 million in robocall-related fines imposed under Chairman Pai’s leadership have been collected to date, including the record-setting $120 million penalty issued last year against a robocalling platform and its owner for placing over 96 million “spoofed” marketing robocalls.
This report prompted commentary from Commissioner Rosenworcel, who tweeted that these “measly efforts” were “not making a dent in this problem” and called for carriers to provide free call blocking tools to consumers. In our view, however, the report really doesn’t relate to the vigor – or alleged lack thereof – of FCC robocall enforcement efforts. Instead, the small amount of assessed fines that are actually collected starkly demonstrates the internal and external hurdles faced by the FCC, which impact all types of enforcement actions, not just robocalls. The report likely will rekindle Congressional criticism of FCC enforcement processes and calls for more systematic solutions to the problem of unwanted calls.
“Yes FCC, we meet again old friends” was the message comedian John Oliver had for the FCC on his show Last Week Tonight, when he devoted nearly 20 minutes to an in-depth criticism of “robocalls” and the FCC’s approach to regulating such calls. (Oliver had previously taken aim at the FCC in multiple segments about net neutrality – which included comparing then-FCC Chairman Tom Wheeler to a dingo – and he allegedly crashed the FCC’s comment system after encouraging his viewers to submit pro-net neutrality comments in the proceeding that led to the decision to revert back to light-touch regulation of broadband Internet access service.) He ended the March 10th segment by announcing that he was going to “autodial” each FCC Commissioner every 90 minutes with a satirical pre-recorded message urging them to take action to stop robocalls.
The irony of John Oliver making robocalls in order to protest robocalls is rather funny. But, it raises the question – are these calls legal? The fact that the calls appear to be lawful – and would be legal regardless of the action Oliver called for in the program – highlights that there is an important distinction between illegal calls and unwanted calls. In the end, Oliver’s segment demonstrates some of the problems with modern efforts to apply the Telephone Consumer Protection Act (“TCPA”), a statute that was adopted well before the proliferation of cell phones in America, and seems to deter many legitimate calls while not sufficiently stopping scam calls.
[Spencer Elg co-wrote this post]
The current and future definition of what qualifies as an automatic telephone dialing system (“ATDS” or “autodialer”) remains a hotly debated and evaluated issue for every company placing calls and texts, or designing dialer technology, as well as the litigants and jurists already mired in litigation under the Telephone Consumer Protection Act (“TCPA”). Last year, the D.C. Circuit struck down the FCC’s ATDS definition in ACA International v. FCC, Case No. 15-1211 (D.C. Cir. 2018). Courts since have diverged in approaches on interpreting the ATDS term. See, e.g., prior discussions of Marks and Dominguez. All eyes thus remain fixed on the FCC for clarification.
In this post, we revisit the relevant details of the Court’s decision in ACA International, and prior statements of FCC Chairman Ajit Pai concerning the ATDS definition to assess how history may be a guide to how the FCC approaches this issue.
With speculation running rampant that Chairman Pai intends to bring a remand order from ACA International v. FCC in January 2019, the FCC took a related step to reduce misdirected calls. At the December Open Meeting, the FCC approved a Second Report and Order (“R&O”) to create a single, nationwide database for reporting number reassignments that will allow callers to verify whether a phone number was permanently disconnected before calling the number. The item is meant to reduce “wrong number” calls to mobile phones, i.e., where a caller has a legitimate reason for trying to reach a consumer but doesn’t realize that the number they have has been reassigned to someone else. The new rule would help eliminate a scenario where the new holder of the number receives an unwanted call and the prior holder never receives the call intended for them. The R&O is part of a broader effort by the FCC to address and stem the volume of unwanted phone calls in the United States.