Would You Allow Foreign Workers to See Your CDRs?

The publication of new guidance from the Federal Communications Commission (FCC), the US regulator, provides more evidence of the growing Cold War mentality affecting the business of international communications.

Will any Non-U.S. Individual have access to one or more of the following…

…Physical facilities and/or equipment under the Applicant’s control?

…Customer records, including Customer Proprietary Network Information (CPNI), billing records, and Call Detail Records (CDRs)?

…Network control, monitoring, and/or auditing features?

…Electronic interfaces that allow control and/or monitoring of the infrastructure under the Applicant’s control including, but not limited to, access to actual communications content and data?

These are some of the new standard questions to be asked of any foreign investors that seek to obtain more than 25 percent ownership of a comms provider that services the US market. US law caps foreign ownership of telcos and broadcasters at 25 percent unless the FCC approves specific requests for a higher stake. In practice the FCC has allowed 100 percent foreign ownership of some businesses, though they oppose foreign ownership of broadcasters. The new standard questions reveal how insular US telcos can be, relative to telcos operating in most other countries.

For each Individual identified in response to these questions, provide the following information: name, countries of citizenship, date and place of birth, U.S. alien number and/or social security number (if applicable), passport identifying information (including number and country), all residence addresses, all business addresses, and all phone numbers.

Acting FCC Chair Jessica Rosenworcel (pictured) argued that these standard questions showed how well the modern FCC understands risk in the digital era.

…we have long had a framework in the Communications Act to assess foreign investment in our operators and licensees. This framework is smart and puts security interests front and center. But it merits an update for the digital age — and that is exactly what we do today.

This leads me to wonder if Rosenworcel and her fellow FCC Commissioners are just jaundiced politicians willing to say anything that furthers their careers, or if they really believe maintaining the future integrity of US communications networks will depend on checking lists of names of relatively lowly foreign employees.

It does not take much to imagine a telco that has offshored enough jobs to make compliance with this standard questionnaire futile. Do very senior people with responsibility for national security expect to vet every foreign employee who works in billing or customer care? Why would that matter for a telco that is 30 percent owned by a foreign investor but not for a telco which is 100 percent owned by Americans? Has anyone considered how little it would cost to bribe American citizens who do low-paid jobs with access to this kind of data, or that many of them are naturalized Americans that were born elsewhere? What is the purpose of knowing about passports and dates of birth of foreign employees at the time of a change in ownership unless there are also plans to review and potentially block every new recruit after that time? And what would count as a satisfactory answer to these questions if the hiring of foreign staff will only begin if the FCC approves foreign investment?

The likeliest explanation is that the FCC does not really expect foreign investors to comply with the requirement as actually stated, and would not know what to do with the information if they received it. In other words, this is a case of lawyers making rules for other lawyers that can only be understood by those lawyers with enough experience to know when to ignore the rules. More money will go into the pocket of lawyers, but it is not clear how much the rest of us will benefit from their work. Information gathering of this type will likely focus on key managers, with some deliberate vagueness about who should be considered key. However, senior management never look at detailed data like CDRs and probably would not be able to understand them, even if they knew where to find them.

Trying to evaluate the threat to US national security by asking the home address of everybody with visibility of CDRs is like trying to evaluate the threat of spyware being installed on handsets by knowing the names of every individual working in the Chinese factory that made them. The lawyers at the FCC have rightly recognized the potential security threats if an enemy nation obtained visibility or control of vital communications links. The problem is that they seem incapable of adapting to the granularity of control needed when overseeing networks that employ thousands of people serving millions of customers producing billions of records.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.