LFAs Raise Privacy Concerns


A growing number of cities have expressed concern about the consumer-privacy policy Comcast Corp. recently disclosed to customers of former AT&T Broadband systems.

Some local franchise authorities have told the MSO it looks like the operator is giving itself more leeway in terms of its ability to share personal information with third parties.

Officials in Portland, Ore., for example, have expressed concern that the "vaguely worded document" could allow Comcast to share e-mail addresses; telephone and Social Security numbers; and even bank account and credit-card information.

With identity thefts on the rise — and complaints surging over increased junk mail and perceived spam e-mail — the issue of privacy is now being intensely debated. Franchising officials got on the case after Comcast made its privacy-protection practices known to former AT&T Broadband customers, starting in May.

Comcast's senior counsel and chief privacy officer, Gerard Lewis, replied to Portland's concerns by assuring that the company-wide policy does not lower prior AT&T Broadband privacy standards.

The MSO respects the privacy of its 22 million subscribers and is fully committed to protecting it, he said in a letter to concerned officials.

Lewis also said the policy complies with Section 551 of the federal Cable Act — and that competitors, such as direct-broadcast satellite providers, aren't subject to such oversight.

In a letter to Portland officials, he also wrote that Comcast's privacy practices are generally more restrictive than the privacy policy. For example, the cable operator legally reserves the right "to disclose customer names and addresses for mailing lists," he wrote. "However, as a general matter we do not sell or disclose subscriber names to third-party mailing lists."

Portland probing

Some communities — including Portland, historically an active local franchisor — have pointed out aspects of Comcast's "opt-out policy" that they don't like.

According to a letter Portland officials sent to Comcast, consumers can direct the MSO not to release their names and addresses to third parties. But according to the city's reading, the policy doesn't specifically limit the distribution of other, more highly personal information to third parties. And opting out doesn't prevent Comcast itself from calling the consumer.

"The revised policy is replete with so many exceptions, caveats and qualifications that a reasonably educated subscriber would, in our opinion, be warranted in entertaining a high degree of uncertainty as to whether the company has any genuine intention of protecting any of the subscribers' sensitive (personally identifying) information as a matter of overall policy," David Olson, director of Portland's Office of Cable and Franchise Management, wrote in a July letter to Comcast.

Comcast responded to Portland queries point by point, in an 11-page letter dated July 25.

Cable office deputy director Mary Beth Henry said officials are still evaluating the response and will discuss Comcast's compliance at an upcoming meeting of the Mount Hood Cable Regulatory Commission.

Among other points, Comcast said "in each situation where we may disclose [personally identifying information, or PII] to a third party we carefully review the business purpose for the disclosure" and seek to reveal as little as needed "for that purpose" under prescribed conditions.

For example, if Comcast outsourced pay-per-view billing functions to a third-party vendor, "we would disclose limited PII to that vendor under a strict obligation of privacy and non-disclosure for a specific, limited purpose, in this example sending out subscriber bills," the MSO said.

At another point, the Comcast letter to Portland states:

"Comcast's Privacy Policy applies to our cable-television subscribers, each of whom enters into a contractual agreement for us to provide them with cable service. Like any contractual relationship between a business and an individual purchasing the businesses' products or services, Comcast is within its rights to collect certain information sufficient to establish an account for the customer and to verify his or her payment ability and information.

"We don't disclose PII to 'outsiders,' which implies persons who have no connection to Comcast or its business. Rather, if we were to disclose PII, including financial PII, we would disclose only that PII necessary for the specific business purpose at hand and then under obligations of confidentiality and non-disclosure to a service provider. Comcast does not disclose PII except as expressly provided for in the Privacy Policy and Section 551."

Banned in Berkley?

The new policy might violate some city franchises, such as the one in Berkeley, Calif., which requires complete privacy.

According to terms set in the Berkeley franchise since 1992, consumers must affirmatively tell a cable operator that he or she wants personal information shared.

Roger Miller of the city's department of information technology said Berkeley is evaluating the privacy statement to determine if Comcast is in compliance.

"We are concerned," Miller said. "We want subscriber privacy by default."

Other cities are examining Seattle's approach.

Last year, Seattle passed an ordinance meant to ensure cable-customer privacy. The ordinance arose from concerns that AT&T Broadband's approach was overly broad according to Tony Perez, director of the city's Office of Cable Communications.

The Seattle ordinance was drafted to protect Internet users, too, after stories surfaced last year that Comcast was tracking the paths of its high-speed data users.

Seattle's law guards against disclosing viewing and use patterns, requires the destruction of personal data 90 days after it is no longer needed to provide service, and mandates that the cable operator report any information it shares to the city.

Maryland misgivings

Seattle's Perez is among those concerned about broad language in Comcast's policy. Perez said he showed the notice to a seasoned attorney who, after reading it, said he had no clue what his rights were.

"If an attorney can't translate it, what hope do consumers have?" Perez said.

Montgomery County, Md., officials also are concerned about the "pretty drastic" change they perceive in the cable operator's privacy policy. The county's cable system has changed hands from MediaOne Group Inc. to AT&T Broadband to Comcast.

Comcast might have violated local rules by sending the notice directly to consumers: The county franchise requires changes in policy be vetted by regulators, cable communications administrator Jane Lawton said.