CDT Pleases with NEAD Privacy and Security Plan

March 21, 2017–The Center for Democracy & Technology said it is pleased with the National Emergency Address Database (NEAD) privacy and security plan submitted by the wireless industry last month (TRDaily, Feb. 6), although it emphasized that careful implementation of the plan will be critical, including enabling public input. The NEAD is being developed to help implement the FCC’s indoor 911 location accuracy rules. The nation’s four national wireless carriers – Verizon Wireless, AT&T, Inc., Sprint Corp., and T-Mobile US, Inc., – along with NEAD LLC, a non-profit entity established by CTIA to administer the NEAD, submitted the privacy and security plan, which was mandated by the FCC in its indoor 911 location order (TRDaily, Jan. 29, 2015).

In comments filed yesterday in PS docket 07-114, CDT noted that in January 2015, it and other groups expressed “concerns about the privacy impact of the NEAD. We cautioned that users of networked devices likely do not expect that information about their personal devices and physical address will be stored in a national database that is accessible to multiple parties. In those comments, we offered several recommendations for protecting user privacy including strong limits on third-party access to the database and opt-out mechanisms for individuals. CDT is pleased that the draft NEAD Privacy and Security Plan appears largely to address these concerns.”

“As drafted, the NEAD security plan includes specific technical requirements for encrypting information both in transit and at rest in the NEAD, routine penetration testing, and maintaining secure operating systems and applications on the NEAD Platform. The plan also provides for access controls, personnel training, and ongoing monitoring. These through implementation of these policies and controls will be critical for maintaining the public’s trust in the NEAD,” CDT stressed. “Location information is highly sensitive, and as the NEAD Platform expands nationwide, this database of location information will present an increasingly alluring target for malicious agents. We note that the expansion of the NEAD Platform over time will require an ongoing commitment to comprehensive data security measures and may require additional financial and technical investments by wireless carriers and the NEAD Platform.”

“As described in the plan, the NEAD Platform is not designed to store information about any identifiable individuals but rather is a database only of verified wireless access points that are mapped to 911-dispatchable addresses,” CDT noted. “During a 911 call, wireless carriers provide the NEAD Platform only with the [media access control] MAC addresses of detected wireless access points to compare against the database. These limitations mitigate the potential usefulness of the NEAD Platform as a potential surveillance tool by law enforcement or other government agencies. We were also pleased to see that the draft privacy plan continues efforts to impose a blanket restriction on the use of the NEAD Platform for any commercial purpose. Ensuring the accuracy and effectiveness of 911 services is an important goal to improve public safety, but so is maintaining public trust in the Platform: the careful coordination and resources devoted to the NEAD Platform by wireless carriers must not be used as a backdoor to advance the sharing or selling of information for reasons other than providing emergency services.”

CDT also said that it “recognizes that the NEAD Platform remains a work-in-progress. It will likely be many years yet before the full functionality of the NEAD Platform is available for 911 services across the United States, and it is apparent from the draft privacy and security plan that development of the NEAD Platform will occur in stages. Specifically, we note that information about wireless access points in the NEAD Platform will be provided not only by wireless carriers but also (1) other entities, including building managers and major businesses, and eventually (2) individual consumers.

“Properly incentivizing these contributions will require an ongoing commitment by the NEAD Platform to respect the privacy of individuals,” CDT said. “This will require much more robust engagement with the public by the NEAD, which presently has no public-facing website or online presence. The NEAD should develop educational materials and a method for the public to submit their questions and concerns beyond formal comments such as these. As the service develops, individuals should also be offered information and clear choices about how they can add, access, update, or remove their personal information and information they contribute regarding wireless access points.”

CDT concluded that it “is broadly supportive of the draft privacy and security plan proposed by the NEAD Platform. It is a strong foundation, and we expect that the NEAD Platform will continue to engage with consumer advocates and privacy and technology experts as the Platform evolves.”

The National States Geographic Information Council (NSGIC), which represents states on policy and implementation issues related to geospatial technologies, expressed concern that the plan says, “Except as may be required by applicable law, information contained in the NEAD Platform will not be disclosed to third parties, including government entities, other than for E911 purposes. The NEAD Administrator will follow a defined procedure to assess and respond to valid governmental requests for Information.” NSGIC said it “finds both sentences vague and not providing enough information as to what is considered an allowable use ‘for E911 purposes’ or what specific qualifiers or guidelines used in the ‘defined procedure to assess and respond to government requests’ may cause a governmental request to be denied. GIS data, in particular PSAP Boundaries, Emergency Service Boundaries, and street address data, is required for use in Next Generation (NG) 9-1-1 Systems.”

NSGIC said it “believes that pre-validation of a NEAD dispatchable location, including its additional ‘subaddress’ information, should be considered an allowable government use for 9-1-1 purposes and should be specifically cited as such in the Plan. NSGIC members desire their PSAPs and Authoritative NG9-1-1 GIS Data Providers [to] have access to the NEAD dispatchable address information to not only validate the NEAD dispatchable locations but to also identify potential missing addresses in their authoritative GIS data. Missing addresses could be researched, validated, and added to their authoritative GIS data so that should a 9-1-1 call ever came from the NEAD dispatchable address, it will be located in their authoritative GIS data to the subaddress level. A civic address added to local authoritative GIS data as a result of a PSAP or Authoritative NG9-1-1 GIS Data Provider researching a NEAD dispatchable address should not be considered proprietary or be restricted from being shared outside of 9-1-1. Many PSAPs and Authoritative NG9-1-1 GIS Data Providers work closely with their sister governmental agencies and share their GIS data to avoid costly data duplication activities.” – Paul Kirby, paul.kirby@wolterskluwer.com

Courtesy TRDaily