The language of data privacy: What is CPNI and why should you care?

Customer Proprietary Network Information (CPNI) is data generated by wireless subscriber activity and collected by telecommunications companies. CPNI includes the time, date, duration, and destination number of a call, and some subscription information such as the number of lines on an account. The CPNI data designation does not include financial information or sensitive personal information like credit card data or Social Security Numbers.

Earlier in our series, we discussed Personally Identifiable Information (PII), which is a broader category of data than CPNI. PII includes names, addresses, phone numbers, email addresses, and other data that can be used to identify a specific individual or device. There is no overlap between the formal designations of CPNI and PII, but there are times when CPNI can become PII. This occurs when the CPNI data is linked to a specific person through a phone number, account number, or other subscriber information.  

As an example of a CPNI and PII breach, we can look at the data breach disclosed by AT&T in early 2023. Approximately 9 million customers were notified that an AT&T vendor had suffered a security incident that exposed first names, wireless account numbers, wireless phone numbers, email addresses, past due amounts, and upgrade eligibility. This incident did not expose sensitive PII like payment information or Social Security Numbers, but it did link individuals with communication patterns and other data.

Like all data designations, CPNI is subject to a specific scope of regulations and rules, refined over the years in response to the rapid increase in cellphone usage and CPNI data. In the United States, the Federal Communications Commission (FCC) is the agency charged with enforcing these rules and keeping the public informed of their rights and responsibilities related to CPNI data protection. These laws can change, so consult the FCC website if you have questions about current regulations.

As of March 2023, CPNI rules allow providers to gather and share aggregate customer data for specific purposes, such as troubleshooting areas with frequently dropped calls or planning for expansion in areas with higher demand than expected. The carrier can use personal CPNI data to market custom services based on a subscriber's account activity. Customers often have to opt out of this usage rather than opt-in. Brian Krebs has a detailed article on why you should opt out of sharing, including details on how one provider’s data breach may have resulted in the leak of a different provider’s customer data. One chilling point from his article underscores the fact that subscriber data will be monetized in all possible ways, even when there is a ‘grey’ area:

“The other problem with letting companies share or sell your CPNI data is that the wireless carriers can change their privacy policies at any time, and you are assumed to be okay with those changes as long as you keep using their services.

For example, location data from your wireless device is most definitely CPNI, and yet until very recently all of the major carriers sold their customers’ real-time location data to third party data brokers without customer consent.”

See KrebsonSecurity for more on that activity and the FCC response.

Some states do have more strict regulations around CPNI. Arizona requires an opt-in by the subscriber, and California requires more comprehensive disclosures to consumers. (CenturyTel has an example here).

It’s best to assume you are the only person interested in protecting your data. You probably can’t do much about security incidents like the AT&T vendor breach, but you can take steps to reduce your exposure:

• Use a unique, strong password with multi-factor authentication.
• Opt out of any CPNI data-sharing activities requested by your service provider.
• Avoid using public Wi-Fi networks. A VPN over a cellular or Wi-Fi connection will better protect your activity and the data that resides on your device.
• Watch for privacy notice updates from your providers and act accordingly.

The top mobile carriers have published information on how you can restrict their use of your data:

• Verizon CPNI and opt-out information
• T-Mobile privacy and opt-out information
• AT&T CPNI and opt-out information

Here are some additional references on CPNI protection:

• Privacy/Data Security/Cybersecurity: Customer Proprietary Network Information – FCC document on general enforcement areas
• What is customer proprietary network information (CPNI)? – TechTarget networking definition article
• CPNI Information – LCP Connect FAQ gives a good explanation of how CPNI is used if you do not opt-out.

Today is a good day to contact your wireless carrier and opt out of CPNI usage. It’s your data, and you can restrict its use. (Most of the time)

Barracuda provides a comprehensive cybersecurity platform to protect organizations from all major attack vectors. Visit our website to explore our cybersecurity platform.