Monday, November 09, 2015

:: "The Commission has been unequivocal in declaring that it has no intent to regulate edge providers."

In Re Consumer Watchdog Petition for Rulemaking toRequire Edge Providers to Honor ‘Do Not Track’Requests Released: November 6, 2015

1. In this Order, we dismiss Consumer Watchdog’s request that the Commission “initiate arulemaking proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn) to honor ‘Do Not Track’ Requests from consumers.” 1 The Commission has been unequivocal in declaring that it has no intent to regulate edge providers.

2 We therefore find that, pursuant to section 1.401(e) of our rules, the Consumer Watchdog Petition “plainly do[es] not warrant consideration by the Commission.”3 2. Section 222 of the Communications Act governs telecommunications carriers’ protection and use of information obtained from their customers or other carriers, and calibrates the protection of such information based on its sensitivity. The Commission has adopted rules implementing section 222’s privacy protections with respect to providers of voice services, has amended those rules over time to respond to emerging threats to consumer privacy, and has vigorously enforced those rules.4

3. Earlier this year, when the Commission reclassified broadband Internet access service (BIAS) as a telecommunications service under Title II of the Communications Act, it declined to forbear from applying section 222 to BIAS providers. 5 The Commission found that broadband providers “serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers.”6 Recognizing, however, that the existing rules were written for voice services, the Commission held it was “not persuaded that the Commission’s current rules implementing section 222 necessarily would be well suited to broadband Internet access service.”7 It therefore forbore from applying the section 222 rules to BIAS services, “pending adoption of rules to govern broadband Internet access service in a separate rulemaking proceeding.”8 At the same time, the Commission specified that in reclassifying BIAS, it was not “regulating the Internet, per se, or any Internet applications or content.”9 Rather, as the Commission explained, its “reclassification of broadband Internet access service involves only the transmission component of Internet access service.”10

 4. Consumer Watchdog’s request that “the Commission should, in addition to the CPNI rules it intends to adopt, promulgate rules protecting the authorized use of consumers’ personal information by requiring edge providers to honor ‘Do Not Track’ Requests” is inconsistent with the Commission’s articulation of the effect of its reclassification of BIAS and the scope of the privacy practices it stated that it intends to address pursuant to that reclassification. 11 We therefore find that the Consumer Watchdog Petition plainly does not warrant consideration by the Commission pursuant to section 1.401(e) of the Commission’s rules.

5. Accordingly, IT IS ORDERED that, pursuant to sections 0.91, 0.291, and 1.401(e) of the Commission’s rules, 47 C.F.R. §§ 0.91, 0.291, 1.401(e), Consumer Watchdog’s Petition for Rulemaking to Require Edge Providers to Honor ‘Do Not Track’ Requests IS DISMISSED.

Thursday, November 05, 2015

:: NIST Invites Comments on Practice Guide for Improving Mobile Device Security

The National Cybersecurity Center of Excellence (NCCoE) requests comments on a draft guide to help organizations better secure and manage their mobile devices.
The draft NIST Cybersecurity Practice Guide Mobile Device Security: Cloud & Hybrid Builds (Special Publication 1800-4) demonstrates how commercially available technologies can help companies secure sensitive data accessed by and/or stored on mobile devices used by employees.
“Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size,” said Nate Lesser, deputy director of the NCCoE, part of the National Institute of Standards and Technology (NIST). “Our guidance can help organizations reduce their risk and increase their ability to see and respond to security issues.”
Security controls at many organizations have not kept pace with risks that mobile devices can pose. To address this challenge, NCCoE security engineers re-created a typical IT scenario involving commonly used devices, organizational email, calendaring and contact-management software. They then developed several configurations of commercial management and security technologies to improve mobile device security. The example solution detailed in the guide shows organizations how to configure a device so that it can be trusted, as well as how to remove the device from systems should it be lost or stolen or when an employee leaves the company.
The draft guide maps security characteristics to standards and best practices from NIST and other organizations. It provides instructions for implementers and security engineers on installing, configuring, and integrating the example mobile device security solution into existing IT infrastructures.
While the guide uses a suite of commercial products as part of the example solution, it does not endorse any particular products or guarantee regulatory compliance. The NCCoE’s example solution may be adopted or be used as a starting point for tailoring and implementing parts of a solution.
The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments. The public comment period is open through Jan. 8, 2016.
The guide is part of the center’s new series of publications, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target complex cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.
The NCCoE is the nation’s cybersecurity laboratory, addressing businesses’ most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. The center collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.