In the Matter of Wireless E911 Location Accuracy Requirements
PS Docket No. 07-114
MEMORANDUM OPINION AND ORDER
Adopted: November 13, 2017
Released: November 14, 2017
By the Commission:
1. In this Memorandum Opinion and Order, we approve the Privacy and Security Plan (Plan) for the National Emergency Address Database (NEAD) submitted on February 3, 2017, by national wireless carriers AT&T, Sprint Corporation, T-Mobile USA, and Verizon (collectively, National Carriers) and NEAD, LLC. The NEAD, which is being developed for the purpose of identifying the dispatchable location of wireless 911 callers when the caller is indoors, is a database that will enable wireless providers to use media access control (MAC) address and Bluetooth Public Device Addresses (BT-PDA) information of fixed indoor access points to locate wireless devices being used to call 911. For the reasons discussed below, we approve the Plan, finding that it is consistent with the requirements outlined in the Indoor Location Fourth Report and Order and addresses the need to protect the privacy, security, and resiliency of the NEAD.
2. In the Indoor Location Fourth Report and Order, the Commission adopted E911 location rules that encourage the development of wireless E911 location technology that will support the provision of dispatchable location information (e.g., street address, floor level, and office or apartment number) to Public Safety Answering Points (PSAPs) when wireless customers place 911 calls from indoor locations. To support dispatchable location, the National Carriers have committed to design and build the NEAD, a national database of MAC address and BT-PDA information of fixed indoor access points (e.g., Wi-Fi and Bluetooth) that will be used to determine the specific indoor location of wireless 911 callers and play a critical role in enabling carriers to satisfy the Commission’s E911 rules.
3. The Indoor Location Fourth Report and Order required the NEAD to be used solely for 911 location purposes and prohibited its use for commercial purposes. The Commission also stated that as a precondition of activating the NEAD, the four nationwide carriers must develop a privacy and security plan for the NEAD and submit it for Commission approval. Further, the Commission stated that it would make the submitted plan available for public comment to “ensure that [it] addresses the full range of security and privacy concerns that must be resolved prior to use of the database.” The Commission stated that upon review of the plan and the record generated in response, it would “evaluate the need to take any additional measures to protect the privacy, security, and resiliency of the NEAD and any associated data.”
4. The NEAD Privacy and Security Plan. Following the release of the Indoor Location Fourth Report and Order, CTIA, a wireless communications industry trade association, created NEAD, LLC, a non-profit entity that the National Carriers have appointed to oversee development and operation of the NEAD platform and to serve as the NEAD Administrator. On February 3, 2017, NEAD, LLC and the National Carriers submitted the Plan to the Commission.
5. The Plan explains that the NEAD platform is comprised of two main components: (1) the NEAD, a database of verified wireless access point street address information described above, and (2) the National Emergency Address Manager (NEAM). The NEAM is a set of systems that will receive, process, and verify information on wireless access points that are submitted for inclusion in the NEAD. When a caller dials 911 from his or her wireless handset equipped with Wi-Fi and/or Bluetooth radios, the participating wireless carrier network will automatically collect information from the wireless handset about wireless access points within the vicinity of the wireless handset. The wireless carrier network will query the NEAD platform to determine whether the MAC address or BT-PDA information of any of these wireless access points is in the NEAD and is associated with a verified street address. If so, the wireless carrier network will provide street address information, as well as other in-building location information, to the PSAP as part of the 911 call. The Plan provides that during the call, “[a] 911 caller’s name and telephone number will not be shared with the NEAD Platform,” and that the only information wireless carriers will share with the NEAD platform are “the MAC addresses of detected Wi-Fi access points and the BT-PDA information of detected Bluetooth beacons.”
6. The Plan states that the NEAD platform must be populated with reliable and verified wireless access point information, including street address information and MAC address or BT-PDA information, so that wireless carriers can identify a dispatchable location.14 According to the Plan, the NEAD will initially be populated with such access point information from the National Carriers’ own WiFi and Bluetooth installations, and from the installations of certain other businesses solicited by the National Carriers (i.e., businesses that have established large numbers of wireless access points, such as internet service providers, hotels, restaurants, retail stores, and building managers).
7. In the future, after modifications to the NEAD platform, information will also come from individual consumers, “who will be able voluntarily to input information about their wireless access points not otherwise provided to the NEAD along with information necessary for verification.” Data in the NEAD platform from the wireless carriers and other businesses will not include information about any associated individual consumers, such as the 911 caller’s name or telephone number. However, when the NEAD platform begins accepting voluntarily submitted access point data from individual consumers, those individuals “may need to provide additional information such as their name for verification purposes.” The Plan states that “in those cases where individual consumers do voluntarily submit access point data and their personal information to the NEAD for verification purposes, the individual consumer’s personal information will not be shared, except as otherwise required by law.”
8. The Plan describes “comprehensive controls” to support the security and resiliency of the NEAD platform. The administrative, physical, and technical controls the drafters of the Plan have selected are drawn from the leading cybersecurity frameworks and standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO) 27001 Information Security Management Standard, the Commission’s Communications Security, Reliability and Interoperability Council (CSRIC) IV Working Group 4 Report, and Center for Internet Security (CIS) Critical Security Controls. The Plan also provides that administrative controls will include policies and procedures for personnel, such as background checks for all personnel with access to the NEAD platform. Physical controls will include employee and personnel security procedures, badge access to facilities, biometric access to sensitive areas, as well as various perimeter defenses and continuous physical security patrol and facility monitoring. Technical controls will include “multiple layers of protection based on applicable industry practices and standards, from the host to the network edge, as well as vulnerability scanning and penetration testing.” NEAD Administrator personnel involved in the operation of the NEAD platform will receive privacy and security training at least annually. In addition, the Plan states that the NEAD platform will undergo privacy and cybersecurity risk assessments “at least annually.” The Plan notes that the NEAD is being designed to deliver “99.999% availability,” that it will be supported by multiple data centers across the country, and “[i]n the event of total destruction or catastrophic failure of the core site, other core sites will provide necessary processing until restoration is achieved.” The Plan also describes the consumer privacy protections that will be incorporated into the operation of the NEAD platform, including provisions implementing the Commission’s requirement that the information in the NEAD must be used to support the provision of E911 services and not for commercial purposes.
9. On February 28, 2017, the Commission’s Public Safety and Homeland Security Bureau (Bureau) released a Public Notice seeking comment on the Plan. Nine parties filed comments in response to the Public Notice.